RockLoader Dropper Downloads Locky, Kegotip, and Pony

Thursday, April 14, 2016

Ionut Arghire


A new malware downloader has been spotted recently, used to drop various malicious programs to compromised computers, including the Locky ransomware and the Kegotip and Pony info stealers.

Dubbed RockLoader, the new dropper has been spotted pushed by resources associated with the Dridex botnet via a .js file packaged inside a .zip archive and via malicious Office documents with macros. Distributed through spam emails, the new dropper is experimenting with a method for facilitating a Windows User Account Control (UAC) bypass, researchers at PhishMe reveal.

RockLoader was observed in campaigns primarily targeting UK and French organizations, and researchers at Proofpoint said last week that it was also used to load Dridex 220. Overall, the dropper was observed downloading four different pieces of malware, but it was mainly associated with the Dridex botnet and the distribution of the Locky ransomware.

While droppers are nothing new, and Upatre, previously used in Dyre and Gameover ZeuS campaigns, is one of the most popular of them, what sets RockLoader apart is its attempt to bypass UAC. According to PhishMe, the original malware executable was compiled for 32-bit operating systems, but researchers also noticed that the dropper comes with a shellcode compiled as a 64-bit binary.

After successfully bypassing UAC, RockLoader makes HTTP POST requests to the /api/ directory on its command and control host to request encoded commands for its next step. The malware can look for multiple arguments in the data it receives, and researchers suggest that it includes support for several commands.

The dropper can receive instructions such as “command” and “update,” as well as a “notask” instruction, which results in it creating and running a “1.bat” file in the temp directory to try and delete itself. Researchers also discovered that the downloader’s operators can pass multiple arguments and commands to the malware in one request.

“This vastly increases the economy and extensibility of this malware’s operation. Stacking commands in this way is where this new malware downloader really shines. With this capability, the attackers are able to drop several malware payloads to the system at once, or pass multiple commands to a single victim,” the researchers said.

PhishMe also notes that, in a campaign targeted against a UK company earlier this month, RockLoader downloaded multiple executables onto the infected machines, including the Locky Loader and the Pony info stealer. The latter was supposedly included in the package to help cybercriminals expand their C2 infrastructure, given that Pony can harvest FTP credentials from the compromised computers.

The introduction of RockLoader to the infection chain shows that attackers are continuously looking for new ways to increase their infection rates. Additionally, researchers suggest that the new dropper is expected to fill the gap left by Upatre’s absence, especially since it includes many of the strengths that made Upatre successful, as well as additional extensibility and functionality. 

Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked