Dubbed Dimnie, the reconnaissance too espionage trojan has the mightiness to harvest credentials, download sensitive files, accept screenshots, log keystrokes on 32-bit too 64-bit architectures, download additional malware on infected systems, too self-destruct when ordered to.
The malware has largely flown nether the radar for the past times 3 years – Thanks to its stealthy command too command methods.
The threat was discovered inwards the mid of Jan this twelvemonth when it was targeting multiple owners of Github repositories via phishing emails, exactly cyber-security line of piece of job solid Palo Alto, who reported the effort on Tuesday, says the attacks started a few weeks before.
Here's How the Attack Works:
The laid upward on starts past times spamming the e-mail inboxes of active GitHub users alongside booby-trapped labor offers. The messages used inwards this effort assay to push clitoris a fast 1 on the victims into running an attached malicious .doc file.
The MD file contains embedded macro code, which if allowed, executes a PowerShell command to download too install the Dimnie trojan – malware that tin hold upward controlled remotely, enabling attackers to hijack infected PCs too install additional malware.
Dimnie is non new; it starting fourth dimension appeared inwards early on 2014, exactly the piece of job of stealthy command too command (C&C) methods inwards the novel version of the Dimnie malware helped the threat stay unnoticed until this year.
Dimnie's Stealthy Features allow it went Undetected for 3 Years
This novel iteration has the mightiness to enshroud its malicious traffic nether faux domains too DNS requests. To camouflage its connection, Dimnie uses HTTP Proxy requests that appear to hold upward sent to Google-owned domains, exactly it's genuinely talking to an address controlled past times the attackers, which has cypher to create alongside Google.
For to a greater extent than stealthiness, the malware encrypts all of its modules during transit, too 1 time they are received too decrypted on the targeted computer, they are never written to or executed on its difficult drive.
Instead, Dimnie injects them straight into the retentiveness of marrow Windows processes, which thence execute inwards the OS retentiveness itself, without leaving its traces on the user's disks. This lets Dimnie operators inject their malicious module into the procedure of whatever legit application.
"The global hit of the Jan 2017 effort which nosotros analyzed inwards this post is a marked divergence from previous Dimnie targeting tactics. Multiple factors conduct keep contributed to Dimnie's relatively long-lived existence," Palo researchers concluded.
"By masking upload too download network traffic every bit innocuous user activity, Dimnie has taken wages of defenders’ assumptions most what normal traffic looks like. This blending inwards tactic, combined alongside a prior penchant for targeting systems used past times Russian speakers, probable allowed Dimnie to stay relatively unknown."Since the malware hides its communications behind regular traffic too executes inwards the OS memory, Palo researchers unable to speculate the attackers behind the latest phishing e-mail effort or their exact motivations to target open-source developers.
However, gaining access to computers belonging to owners of soul GitHub repositories gives attackers a agency to access the origin code of the application they larn by for their organizations, which allow the attackers gain access to the internal networks of diverse organizations.
