New PindOS Javascript Dropper Deploys Bumblebee, Icedid Malware
Cyber Security Threat Summary:
Researchers have identified a novel malicious tool reffered to as PindOS. This tool acts as a delivery mechanism for the Bumblebee and IcedID malware, which are commonly associated with ransomware attacks. PindOS operates as a JavaScript malware dropper, seemingly designed with the sole purpose of retrieving subsequent-stage payloads that ultimately deliver the perpetrators’ final malicious payload.
“In a report from cybersecurity company DeepInstinct, researchers note that the new PindOS malware dropper has only one function that comes with four parameters for downloading the payload, be it Bumblebee or the IcedID banking trojan that turned malware loader. The JavaScript dropper comes in obfuscated form but once decoded, it reveals how “surprisingly simple” it is. Its configuration includes the option to define a user agent to download a DLL payload, two URLs where the payload is stored (“URL1“ and “URL2“), and the RunDLL parameter for the payload DLL exported function to call. The researchers note that the second URL parameter is a redundancy that PindOS uses when it cannot retrieve the payload from the first URL, and then tries to execute it by combining PowerShell commands and Microsoft’s rundll.exe, which adversaries use frequently to launch malicious code. PindOS downloads the payload to “%appdata%/Microsoft/Templates/” as a DAT file with six random numbers as a name. Malware samples are generated “on-demand,” the researchers say, so each of them has a different hash when retrieved. This is a common tactic to avoid signature-based detection mechanisms. However, the samples are written to disk and in the case of Bumblebee this is a step back from executing them memory, thus making them susceptible to detection, despite the different hash, due to other markers associated with the malware” (Bleeping Computer, 2023).
Security Officer Comments:
Upon its initial emergence, PindOS managed to evade detection to a significant extent. First it appeared on May 20th, fewer than five antivirus engines on Virus Total identified the JavaScript as malicious. Although, DeepInstinct has since discovered that most of the samples are detected by approximately two dozen products on Virus Total, a portion of the samples remains undetected by the majority of antivirus engines, with as few as six to 14 engines flagging the presence of malicious code. Nevertheless, given the detection rates it’s evident that PindOS posses the ability of infiltrate systems covertly and deliver payloads. Even if the operators of Bumblebee or IcedID choose not to adopt PindOS, it may gain popularity among other threat actors who week to exploit its stealthy capabilities.
Suggested Correction(s):
Researchers at DeepInstinct have published IOCs associated with Bumblebee and IcedID that can be used for detection:
https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid
Link(s):
https://www.bleepingcomputer.com/