Powerful JavaScript Dropper PindOS Distributes Bumblebee and IcedID Malware

Cyber Security Threat Summary:
Cybersecurity firm Deep Instinct has uncovered a new JavaScript dropper, dubbed PindOS, that is being used to deliver next-stage payloads like BumbleBee and IceID, both of which are loaders that have also been leveraged to deploy other malware on hosts, including ransomware. “Bumblebee, notably, is a replacement for another loader called BazarLoader, which has been attributed to the now-defunct TrickBot and Conti groups. A report from Secureworks in April 2022 found evidence of collaboration between several actors in the Russian cybercrime ecosystem, including that of Conti, Emotet, and IcedID. Deep Instinct's source code analysis of PindOS shows that it contains comments in Russian, raising the possibility of a continued partnership between the e-crime groups” (The Hacker News, 2023).

According to researchers, PindOS is a simple loader that consists of a single function, “exec,” the latter which comes with four parameters:

  • UserAgent” – The user-agent string to be used when downloading Bumblebee’s .DLL
  • URL1” – First address to download from
  • URL2” – Second address to download from
  • RunDLL” – Payload .DLL exported function to call

    “When executed, the dropper will attempt to download the payload initially from URL1 and execute it by calling on the specified export directly via rundll32.exe. If this fails, the dropper will attempt to download the payload from URL2 and execute it using a combination of PowerShell and rundll32.exe,” noted researchers.

    It is interesting to note that the payloads retrieved are generated pseudo-randomly which results in a new sample hash each time. With a new hash being generated every time the payload is fetched, this allows the payload to avoid signature-based detections.

    Security Officer Comments:
    Although there are certainly similarities, it’s hard to ascertain whether the actors behind BumbleBee and IceID are also responsible for the development of PindOS. With BumbleBee using PowerShell up until now, the switch to PindOS which is based on JavaScript, to deploy BumbleBee could be a ploy on the actor’s end to change their TTPs and avoid detection from anti-virus solutions. According to Virus Total, PindOS samples observed so far have mostly received very low detection rates, with only 2 out of 59 security vendors flagging the droppers as malicious.

    Suggested Correction(s):
    These types of malware are typically delivered via phishing emails containing malicious ZIP or ISOs. As such users should adhere to the following recommendations:

  • Do not open emails or download software from untrusted sources
  • Do not click on links or attachments in emails that come from unknown senders
  • Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
  • Always verify the email sender's email address, name, and domain
  • Backup important files frequently and store them separately from the main system
  • Protect devices using antivirus, anti-spam and anti-spyware software
  • Report phishing emails to the appropriate security or I.T. staff immediately

    Link(s):
    https://thehackernews.com/2023/06/powerful-javascript-dropper-pindos.html