Legion Loader is a new dropper that is already in wide use. It is distinctive by the wide range of malware it has been seen to drop, and its continuing development. The implication is that it is available for hire as part of the burgeoning malware-as-a-service black market.
While other droppers often become associated with particular malware — just as Emotet is known to drop Trickbot, and Trickbot is known to drop Ryuk and Lockergoga ransomware (and more recently web skimming malware) — Legion is already known to drop a wide range of malware. This includes infostealers such as Vidar, Predator and Raccoon; and a crypto stealer, a crypto miner and an RDP backdoor.
(Image Credit: Deep Instinct)
A Legion campaign has been detected, and the dropper used has been analyzed by researchers at Deep Instinct. The analysis was ‘fairly straightforward’: although it includes several sandbox and research tool evasions, it lacks string obfuscation.
It is, they say, “written in MS Visual C++ 8 (very likely by a Russian-speaking individual) and shows signs of being in active development.” They do not give any indication of how Legion is initially installed on the victim, but rather describe what it does. The targets currently appear to be largely in the U.S. and Europe. Every dropper is designed to deliver 2-3 additional malwares, and includes a built-in fileless crypto currency stealer and browser credential harvester.
It arrives with typical black hat black humor — detected user agent strings have included autizm, satan, suspiria, fuck u, and lilith. Its first step is to check in with its designated server. If the expected reply is not received, it terminates. If successful, it downloads the 2 or 3 additional payloads normally from the C&C server, but occasionally from a free hosting service.
When the downloads are complete, Legion executes a lightly obfuscated PowerShell command that delivers the crypto currency stealer and a browser credential harvester. The crypto stealer contacts the C&C and receives further PowerShell code that sweeps the system for stored wallets and any related credentials.
If any are found, Legion again contacts the C&C, and receives more PowerShell code (to set up the stealer) and a DLL (used in further communication encryption). Once this is complete, it downloads a browser credential harvester. Credentials and wallet files are uploaded to the C&C.
It may also deploy an RDP-based backdoor. This arrives as a Nullsoft Scriptable Install System (NSIS), and employs an embedded blowfish .DLL to decrypt strings which form a cmd.exe command. This executes an embedded PowerShell script, which contains a large DES encrypted blob which is decrypted. This blob contains other blobs that are gzip-compressed and base64 encoded.
“These blobs,” note the researchers, “are decoded and decompressed using a set of contained functions and are deployed by the PowerShell code to %programfiles%/windows mail/appcache.xml or %/default_list.xml, based on the executing machine’s operating system. While the written file’s extension is .xml they are actually .DLL files. After the required .DLL containing blob has been deployed, it is registered as a system service.”
It is too early to know how widely Legion will be adopted by the criminal fraternity in the future, but the range of malware it has been seen to drop suggests that it has not been developed by a criminal gang to deliver a particular malware, but is designed to offer a service to deliver malware of choice. One of the infostealers it has delivered — Raccoon — is itself an increasingly popular product provided as a service. This type of criminal activity, where more adept coders provide malware for the larger number of wannabe hackers is likely to grow.
Deep Instinct provides a long list of IoCs comprising Legion Loader samples, dropped malware samples, and Legion Loader and crypto stealer C&C domains.