Credit: TEHTRIS
A new analysis from the TEHTRIS Threat Intelligence team details the resurgence of LegionLoader, a sophisticated malware downloader also known as Satacom, CurlyGate, and RobotDropper. This malware has been operating in the shadows, steadily gaining traction and accumulating over 2,000 samples in just a few weeks.
According to TEHTRIS researchers, “VirusTotal (VT) retro-hunting and live-hunting have allowed us to uncover an ongoing campaign using LegionLoader that appears to have kicked off on December 19, 2024.”
The campaign is global, but Brazil has been identified as the most affected country, accounting for approximately 10% of all submissions.
LegionLoader downloader primarily spreads through drive-by downloads, a technique where users are tricked into downloading malicious software from compromised websites. TEHTRIS notes that malware distributors use illegal download platforms and other insecure websites to redirect unsuspecting users.
The malicious pages are usually deleted in a few hours. Almost every time, they entice the user to redirect themselves to a Mega share containing a single ZIP file.
These malicious ZIP archives contain a 7-Zip password-protected file, making it difficult for automated analysis tools to inspect the payload. A separate image file is included within the archive to display the password needed for extraction, deceiving victims into executing the malware.
LegionLoader is distributed as an MSI (Microsoft Installer) file, requiring user interaction for execution. The VT detection rate for these MSI files varies between 3 and 9 out of 60, suggesting that the malware is designed to evade traditional antivirus solutions.
The MSI file incorporates two anti-sandbox mechanisms:
- A fake CAPTCHA prompt labeled “Please verify that you are not a robot”, preventing automated analysis.
- Virtual environment detection using Advanced Installer, a feature that can be bypassed with Orca, a Microsoft MSI editor.
Upon execution, multiple files are extracted into the %APPDATA% directory, including:
- Clean DLLs and executables
- A password-protected archive named iwhgjds.rar
- UnRar.exe, used to extract the Stage 1 payload (obs.dll)
A hardcoded password within the MSI file is used to unpack the archive, after which the obs.dll payload is sideloaded using obsffmpegmux.exe.
The obs.dll payload is designed to evade detection. TEHTRIS states: “The exports of this DLL are largely empty. Using scripting in IDA, we identified four exports containing code; however, these appear to be largely nonsensical and intended primarily to waste an analyst’s time.”
Using BinDiff, researchers compared multiple obs.dll samples and found that they were identical—with only differences in the Stage 2 payloads and compilation artifacts.
In dynamic analysis, shellcode decryption was observed, leading to the execution of a second-stage executable.
Stage 2 of the infection chain is responsible for communicating with hardcoded C2 domains. However, at the time of TEHTRIS’ analysis, all identified C2 servers were inactive, limiting further investigation.
If all stages succeed, LegionLoader attempts to execute a final payload using rundll32. The malware downloads an additional file, copies it into a randomly named directory under %TMP%, and launches it as svchost.exe using ShellExecuteA.
Given that rundll32.exe is used, TEHTRIS suspects that the final payload is a malicious DLL, though its specific purpose remains unknown due to inactive C2 infrastructure.
Users should avoid downloading software from untrusted sources and implement behavior-based detection mechanisms to mitigate risks.
Related Posts:
- From Fake Installers to Stolen Credentials: Decoding the LegionLoader Threat
- Google Translate desktop app includes malware
- IZ1H9: The New Face of Mirai Botnet Threatening Linux Servers
- North Korean Cyberattacks Persist: Developers Targeted via npm
- Internet Archive Under Siege: DDoS Attacks and a Mysterious Data Breach
