Off the Beaten Path: Recent Unusual Malware

March 14, 2025, 7:29 p.m.

Description

This article examines three unique malware samples discovered in the past year. The first is a passive IIS backdoor written in C++/CLI, an uncommon language for malware. It has extensive functionality and appears professionally developed, possibly for targeted attacks. The second is a bootkit that installs a customized GRUB 2 bootloader to play Dixie through the PC speaker on boot. While sharing some characteristics with Equation Group malware, it's likely unrelated. The third is a new cross-platform post-exploitation framework called ProjectGeass, still in development. It has features like file management, keylogging, and payload execution. These samples demonstrate novel techniques being used by malware authors.

Date

  • Created: March 14, 2025, 4:37 p.m.
  • Published: March 14, 2025, 4:37 p.m.
  • Modified: March 14, 2025, 7:29 p.m.

Indicators

  • cca5df85920dd2bdaaa2abc152383c9a1391a3e1c4217382a9b0fce5a83d6e0b
  • aa2d46665ea230e856689c614edcd9d932d9edad0083bf89c903299d148634a2
  • a28d0550524996ca63f26cb19f4b4d82019a1be24490343e9b916d2750162cda
  • 950243a133db44e93b764e03c8d06b99310686d010b52b67f4effa57f0d72e04
  • 94017628658035206820723763a2a698a4fd7be98fc2c541aad6aa0281ef090e
  • 8571a354b5cdd9ec3735b84fa207e72c7aea1ab82ea2e4ffea1373335b3e88f4
  • 15db49717a9e9c1e26f5b1745870b028e0133d430ec14d52884cec28ccd3c8ab
  • 01d51df682136cce453bb1da8964073e6bc7297ce4dae7301c753bb618a69469
  • ipv4.renfei.net
  • olemiss.edu
  • dixie.play

Attack Patterns

  • ProjectGeass
  • Dixie-Playing Bootkit
  • C++/CLI IIS Backdoor

Additional Informations

  • Singapore
  • Thailand