Deep Instinct uncovers new JavaScript-based malware dropper

Threat protection startup Deep Instinct Ltd.’s Threat Research Lab today provided details of a new strain of JavaScript-based dropper that delivers two forms of malware onto victims’ computers.

Dubbed PindOS after a user-agent string of the same name in the code, the dropper contains comments in Russian and delivers Bumblebee and IcedID malware.

Bumblebee is a malware loader associated with the Conti ransomware group discovered in March 2022 and acts as a primary vector for multiple types of other malware, including ransomware. IcedID is modular banking malware designed to steal financial information that has been around since 2017.

In a deep dive into PindOS, the researchers found that the standout is how the developers of these attacks are becoming more sophisticated in their tactics. The PindOS dropper exhibits a change in how Bumblebee is used, shifting from using PowerShell to JavaScript. The change indicates an attempt by the threat actors to adapt and refine their attack methods to maximize efficiency and evade detection.

The use of PindOS also indicates a shift in how IcedID is used. With its deployment through PindOS, IcedID has deviated from its primary function as banking malware, potentially following in the steps of Emotet, another form of malware that started as banking malware and then transformed into what has been described as the “world’s most dangerous malware.”

Under the hood, the PindOS JavaScript coding uses a simplistic structure that downloads and executes a payload .DLL from a specified URL. If the first attempt fails, PindOS tries again with a second URL. The researchers note that the dropper’s design and features make it a resilient and efficient tool for infiltrating systems and delivering its payload.

To avoid detection, the payloads generated by PindOS are “pseudo-randomly” created, a common evasion technique. However, the approach is somewhat ineffective because constant indicators remain, enabling some level of detection.

The researchers conclude by noting that although it’s uncertain whether the PindOS dropper will be permanently adopted by the groups behind Bumblebee and IcedID, if successful the method will become a more permanent tool in their arsenal and potentially gain popularity among other threat actors.

The combination of Bumblebee and IcedID malware strains presents a significant threat to both organizations and individuals and the shift to JavaScript-based droppers introduces new challenges for cybersecurity defenses, Callie Guenther, cyber threat research senior manager at cybersecurity company Critical Start Inc., told SiliconANGLE.

“Traditional security solutions that primarily focus on detecting PowerShell-based attacks may need to be updated and adjusted to effectively identify and mitigate these evolving threats,” Guenther explained. “JavaScript-based droppers offer attackers new opportunities for evasion and malware delivery, potentially bypassing security measures that are primarily designed to detect PowerShell-based attacks.”

Image: Bing Image Creator