A new strain of a JavaScript dropper was observed recently delivering Bumblebee and IcedID malware, a development security pros should take note of because both Bumblebee and IcedID are known to execute ransomware.
In a blog post June 22, Deep Instinct’s Threat Research Lab said the dropper contains comments in Russian and uses the unique user-agent string “PindOS,” which potentially ties it to current and past anti-American sentiment in Russia.
Bumblebee operates as a malware loader that was first discovered in March 2022. The researchers said it was associated with the Conti group and was being used as a replacement for BazarLoader. And the switch to JavaScript instead of PowerShell marks a significant change in Bumblebee’s well-established tactic, techniques, and procedures (TTPs), say the researchers.
IcedID has functioned as a modular banking malware that aims to steal financial information. It has been seen in the wild since at least 2017 and has recently been observed shifting some of its focus to malware delivery.
The researchers said IcedID appears to have been partially following in Emotet’s footsteps and may have abandoned its banking and financial functionalities in favor of becoming a more generalized loader-type malware. Security pros can view its association with a new JavaScript-type of dropper as another step in this direction.
The shift to JavaScript-based droppers offer new opportunities for evasion and malware delivery, potentially posing challenges for security products that have been primarily focused on detecting PowerShell-based attacks, said Callie Guenther, cyber threat research senior manager at Critical Start.
“The use of the unique user-agent string ‘PindOS’ and the presence of Russian comments in the dropper's code raise suspicions about potential connections to anti-American sentiment in Russia,” said Guenther. “And while it’s essential to consider geopolitical factors when analyzing cyber threats, attributing specific motives or affiliations solely based on these elements can be challenging.”
Wars, conflicts and political policy will always have impacts on the cybersecurity landscape and how threat actors pick their targets, but nine times out of 10, the motivation behind these cyberattacks is primarily monetary, with political messages added in as an aside or a distraction, said Zane Bond, head of product at Keeper Security.
Bond said in the digital age, organizations should proactively protect against all forms of malware and cyberthreats.
“The targets of and political messages in these attacks further proves that cybersecurity is national security and must be prioritized as such,” said Bond. “Protecting critical infrastructure and the services that people rely on from cyberattacks is as important as protecting it from physical attacks, because the consequences have the potential to be equally devastating.”