Home > Cyber News > Dimnie Malware Stealthy Mode Finally Analyzed by Researchers

Dimnie Malware Stealthy Mode Finally Analyzed by Researchers

Dimnie is the name of a recently reported new malware family which has been flying under the radar for more than three years, researchers at Palo Alto Networks say.

Dimnie Malware Technical Overview

The malware was attacking open-source developers via phishing emails in January 2017, and that is how it was discovered. The attacks involved the distribution of a .doc file containing embedded macro code to execute a PowerShell command. The final goal was the download and execution of a malicious file.

Related: Latentbot – the Advanced Backdoor with Stealthy Capabilities

Researchers found out that the first samples of Dimnie malware date back to early 2014. The piece remained undetected for so long because of the stealthy C&C methods. Back then, Dimnie targeted Russian speakers which also helped it fly under the radar for over three years.

On initial inspection, everything appears to follow the same formula as many “traditional” malware campaigns: e-mail lure, malicious attachment, macro, PowerShell downloader, and finally a binary payload. Examining the payload’s communications caused us to raise our eyebrows.

The most recent campaign went global and could download more malware with the purpose of stealing information.
Essentially, Dimnie serves as a downloader and has a modular design containing various information stealing functionalities. Each module is injected into the memory of core Windows processes, which makes analysis even more complicated, researchers explain.

While examining Dimnie’s communication with its C&C server, the researchers uncovered that it employs HTTP Proxy requests to the Google PageRank service, a service which is no longer public.

Dimnie uses this feature to create a supposedly legit HTTP proxy request to a Google service. However, the Google PageRank service (toolbarqueries.google.com) has been slowly phased out since 2013 and as of 2016 is no longer open to the public. Therefore, the absolute URI in the HTTP request is for a non-existent service and the server is not acting as a proxy. This seemingly RFC compliant request is merely camouflage.

Related: DiamondFox Botnet Steals Financial Information

In addition, the HTTP traffic revealed that the malware uses an AES key to decrypt payloads previously encrypted via AES 256 in ECB mode.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree