Security researchers are alerting about a new malware loader known as Verblecon, which is complicated and robust enough for ransomware and espionage operations. However, it is presently employed for low-reward attacks. Despite being present for more than a year, Verblecon samples have a poor detection rate due to the polymorphism structure of the code.
Verblecon was discovered in January of last year by researchers at Symantec, a division of Broadcom Software. They saw it being employed in attacks that installed crypto miners on infected devices. According to the researchers, certain signs hint at the attacker wanting to obtain access tokens for the Discord chat software. Still, these intentions contrast with Verblecon’s realistic potential for considerably more devastating attacks.
The malware is Java-based, and its polymorphic nature allows it to infiltrate vulnerable computers and go undetected in many circumstances. According to the researchers’ analysis of five Verblecon samples, many antivirus engines on VirusTotal do not detect the Verblecon samples as malicious. For example, the oldest sample was entered into the database on October 16, 2021, and nine out of 56 antivirus engines are now detecting it. However, as of late January 2022, newer Verblecon payloads are nearly overlooked by antivirus engines on VirusTotal.
Symantec released a technical dissection of the malware and its capabilities, saying that the examined samples “were fully obfuscated, in the code flow, strings, and symbols,” and that they might be based on publicly available code. According to their findings, the malware does various checks to see if it’s operating in a virtual environment or being debugged. The list of current processes is then compared to a predetermined catalog of files (executables, dependencies, and drivers) associated with virtual machine systems.
If all of the checks pass, the malware transfers itself to a local directory (%ProgramData%, %LOCALAPPDATA%, Users) and generates files to serve as a loading point. According to Symantec’s study, Verblecon tries to connect to one of the domains below regularly, employing a domain generation algorithm (DGA) for a more comprehensive list:
- hxxps://gaymers[.]ax/
- hxxp://[DGA_NAME][.]tk/
The malware’s name is derived from the DGA, which is based on the current time and date and includes the string “verble” as a suffix. In the recently-published technical report, researchers at Symantec observed that the payload transmitted after the initial stage communication with the command and control servers (C2) is disguised in the same way as the previous samples, and incorporates comparable approaches to detect the virtualized environment.
According to the research, the payload’s primary function is to download and run a binary (.BIN file), which is subsequently encrypted on the infected host and injected into Windows %Windows%\SysWow64\dllhost.exe for execution. According to the researchers, the primary goal of the cybercriminal behind Verblecon deployments is to install cryptocurrency mining software, which is not in line with the work necessary to create malware of this sophistication.
Furthermore, the researchers believe the threat actor is employing it to collect Discord tokens to use them to advertise trojanized video game software. According to their findings, Verblecon focuses on non-enterprise devices, which are rarely targeted by more sophisticated threat actors due to their poor business margins. Symantec states they know about other reports linking a Verblecon domain to a ransomware attack, but they believe the overlap is because of the infrastructure sharing with an unrelated attacker.
The experts believe Verblecon is now being employed by an actor unaware of the malware loader’s full destructive capabilities. They fear that if it falls into the hands of more competent cybercriminals, it might be used for ransomware and even espionage attacks.