The newly discovered Legion Loader infects computers with an enormous amount and variety of malware, making it a serious threat.
How the malware landscape evolves
We still have a huge number of hacks and malware coming in through phishing and older “tricks,” says Franc Artes, Architect of Security Business at Cisco.
A newly discovered malware dropper, known as the Legion Loader, has been called “a hornet’s nest” of malware by the Deep Instinct researchers who discovered it.
Legion Loader is a dropper that exists to infect computers and install additional malware on them. Droppers are not uncommon, but Legion Loader has a particularly nasty arsenal to play with and is designed to install two to three different hard-coded executable malware files from the malicious code list.
SEE: What is fileless malware and how can you protect yourself against it? (free PDF) (TechRepublic)
Many of the Legion installations malware executables are common dangers that are available through black malware markets such as Vidar, Predator the Thief and Racoon stealer, but it is not the real danger: it is a few baked-in attacks supplied with the first Legion installation.
The major threats from Legion: crypto theft, retrieving references and RDP back doors
The first action of Legion is to contact the Command & Control server (C&C) to make contact and download the original malware. After it has downloaded those two or three hard-coded programs, it will start to install the really annoying things.
First, Legion uses a hidden Powershell script to scan the infected computer for evidence of a cryptocurrency wallet or stored credentials for all cryptocurrency websites. If either is found, Legion downloads two things: a cryptocurrency stealing tool to extract wallet information, and a web browser stealing stealer that retrieves crypto website login information.
The final part of Legion’s tedious arsenal of malware is an RDP backdoor that is installed at the same time as the crypto and password stealing code, registers itself as a system service, and waits for an attacker to use it.
How to combat threats like Legion
As with all malware threats, it is essential to practice good cyber security hygiene, especially in large organizations that can be made vulnerable by the mistakes of individual employees.
In the case of the Legion Loader, make sure your
firewall is set to block connections
to specific domains – Deep Instinct has a list of domains that are linked to Legion, so add it to your blacklist right away.
In addition to strengthening your firewall, ensure that users cannot download and install apps without permission, make sure they regularly change passwords, and that where possible two-factor authentication is used.
Legion Loader, the discoverer said, “is a classic example of how even a relatively little advanced malware can become a security nightmare for an organization.” Much of what it does is not refined and easy to detect, but it is up to cyber security teams to set up rules to capture it, and other malware loaders, in the first place.
Cyber Security Insider Newsletter
Strengthen the IT security of your organization by staying up to date with the latest news, solutions and best practices for cyber security.
Delivered on Tuesday and Thursday
Image: Igor Stevanovic, Getty Images / iStockphoto