Dubbed Dimnie, the reconnaissance in addition to espionage trojan has the might to harvest credentials, download sensitive files, accept screenshots, log keystrokes on 32-bit in addition to 64-bit architectures, download additional malware on infected systems, in addition to self-destruct when ordered to.
The malware has largely flown nether the radar for the yesteryear 3 years – Thanks to its stealthy command in addition to command methods.
The threat was discovered inwards the mid of Jan this twelvemonth when it was targeting multiple owners of Github repositories via phishing emails, only cyber-security theater Palo Alto, who reported the crusade on Tuesday, says the attacks started a few weeks before.
Here's How the Attack Works:
The assault starts yesteryear spamming the electronic mail inboxes of active GitHub users amongst booby-trapped project offers. The messages used inwards this crusade endeavour to fob the victims into running an attached malicious .doc file.
The physician file contains embedded macro code, which if allowed, executes a PowerShell command to download in addition to install the Dimnie trojan – malware that tin locomote controlled remotely, enabling attackers to hijack infected PCs in addition to install additional malware.
Dimnie is non new; it showtime appeared inwards early on 2014, only the role of stealthy command in addition to command (C&C) methods inwards the novel version of the Dimnie malware helped the threat stay unnoticed until this year.
Dimnie's Stealthy Features permit it went Undetected for 3 Years
This novel iteration has the might to enshroud its malicious traffic nether simulated domains in addition to DNS requests. To camouflage its connection, Dimnie uses HTTP Proxy requests that appear to locomote sent to Google-owned domains, only it's genuinely talking to an address controlled yesteryear the attackers, which has zippo to produce amongst Google.
For to a greater extent than stealthiness, the malware encrypts all of its modules during transit, in addition to ane time they are received in addition to decrypted on the targeted computer, they are never written to or executed on its difficult drive.
Instead, Dimnie injects them straight into the retentivity of essence Windows processes, which in addition to hence execute inwards the OS retentivity itself, without leaving its traces on the user's disks. This lets Dimnie operators inject their malicious module into the procedure of whatsoever legit application.
"The global arrive at of the Jan 2017 crusade which nosotros analyzed inwards this post is a marked deviation from previous Dimnie targeting tactics. Multiple factors induce got contributed to Dimnie's relatively long-lived existence," Palo researchers concluded.
"By masking upload in addition to download network traffic equally innocuous user activity, Dimnie has taken wages of defenders’ assumptions close what normal traffic looks like. This blending inwards tactic, combined amongst a prior penchant for targeting systems used yesteryear Russian speakers, probable allowed Dimnie to stay relatively unknown."Since the malware hides its communications behind regular traffic in addition to executes inwards the OS memory, Palo researchers unable to speculate the attackers behind the latest phishing electronic mail crusade or their exact motivations to target open-source developers.
However, gaining access to computers belonging to owners of mortal GitHub repositories gives attackers a agency to access the origin code of the application they instruct by for their organizations, which permit the attackers gain access to the internal networks of diverse organizations.
Share This :
comment 0 Comments
more_vert