Dimnie Malware Stealthy Mode Finally Analyzed by Researchers

Dimnie Malware Stealthy Mode Finally Analyzed by Researchers

Dimnie is the name of a recently reported new malware family which has been flying under the radar for more than three years, researchers at Palo Alto Networks say.

Dimnie Malware Technical Overview

The malware was attacking open-source developers via phishing emails in January 2017, and that is how it was discovered. The attacks involved the distribution of a .doc file containing embedded macro code to execute a PowerShell command. The final goal was the download and execution of a malicious file.

Related: Latentbot – the Advanced Backdoor with Stealthy Capabilities

Researchers found out that the first samples of Dimnie malware date back to early 2014. The piece remained undetected for so long because of the stealthy C&C methods. Back then, Dimnie targeted Russian speakers which also helped it fly under the radar for over three years.

On initial inspection, everything appears to follow the same formula as many “traditional” malware campaigns: e-mail lure, malicious attachment, macro, PowerShell downloader, and finally a binary payload. Examining the payload’s communications caused us to raise our eyebrows.

The most recent campaign went global and could download more malware with the purpose of stealing information.
Essentially, Dimnie serves as a downloader and has a modular design containing various information stealing functionalities. Each module is injected into the memory of core Windows processes, which makes analysis even more complicated, researchers explain.

While examining Dimnie’s communication with its C&C server, the researchers uncovered that it employs HTTP Proxy requests to the Google PageRank service, a service which is no longer public.

Dimnie uses this feature to create a supposedly legit HTTP proxy request to a Google service. However, the Google PageRank service (toolbarqueries.google.com) has been slowly phased out since 2013 and as of 2016 is no longer open to the public. Therefore, the absolute URI in the HTTP request is for a non-existent service and the server is not acting as a proxy. This seemingly RFC compliant request is merely camouflage.

Related: DiamondFox Botnet Steals Financial Information

In addition, the HTTP traffic revealed that the malware uses an AES key to decrypt payloads previously encrypted via AES 256 in ECB mode.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Subscribe to receive regular updates about the state of PC Security and latest threads.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.