Dimnie is the name of a recently reported new malware family which has been flying under the radar for more than three years, researchers at Palo Alto Networks say.
Dimnie Malware Technical Overview
The malware was attacking open-source developers via phishing emails in January 2017, and that is how it was discovered. The attacks involved the distribution of a .doc file containing embedded macro code to execute a PowerShell command. The final goal was the download and execution of a malicious file.
Researchers found out that the first samples of Dimnie malware date back to early 2014. The piece remained undetected for so long because of the stealthy C&C methods. Back then, Dimnie targeted Russian speakers which also helped it fly under the radar for over three years.
On initial inspection, everything appears to follow the same formula as many “traditional” malware campaigns: e-mail lure, malicious attachment, macro, PowerShell downloader, and finally a binary payload. Examining the payload’s communications caused us to raise our eyebrows.
The most recent campaign went global and could download more malware with the purpose of stealing information.
Essentially, Dimnie serves as a downloader and has a modular design containing various information stealing functionalities. Each module is injected into the memory of core Windows processes, which makes analysis even more complicated, researchers explain.
While examining Dimnie’s communication with its C&C server, the researchers uncovered that it employs HTTP Proxy requests to the Google PageRank service, a service which is no longer public.
Dimnie uses this feature to create a supposedly legit HTTP proxy request to a Google service. However, the Google PageRank service (toolbarqueries.google.com) has been slowly phased out since 2013 and as of 2016 is no longer open to the public. Therefore, the absolute URI in the HTTP request is for a non-existent service and the server is not acting as a proxy. This seemingly RFC compliant request is merely camouflage.
In addition, the HTTP traffic revealed that the malware uses an AES key to decrypt payloads previously encrypted via AES 256 in ECB mode.