Today > | 7 High | 24 Medium | 2 Low vulnerabilities   -   You can now download lists of IOCs here!

RobotDropper Automates the Delivery of Multiple Infostealers

Nov. 26, 2024, 9:38 p.m.

Description

A phishing campaign is distributing Trojanized MSI files that use DLL sideloading to execute LegionLoader, a malicious program that delivers multiple infostealers. The campaign is widespread, with over 400 unique malicious MSI files identified since June 2024. Victims are targeted globally through links from .monster domains forwarded to cloud providers. The attack chain involves downloading a ZIP file containing a malicious MSI, which retrieves a password from a C2 server to unpack a RAR file and extract a malicious DLL. LegionLoader then downloads various infostealers and communicates with multiple domains. The infrastructure heavily utilizes Cloudflare, making tracing difficult. Mitigation involves sourcing software from legitimate sources, keeping systems updated, and using reputable antivirus software.

Date

Published: Nov. 26, 2024, 9:24 p.m.

Created: Nov. 26, 2024, 9:24 p.m.

Modified: Nov. 26, 2024, 9:38 p.m.

Indicators

cybercrime_robotdropper_msi

a970226823fe040895e40b04bfc56b871c0450c2107594f42109f46f48b5e972

0a0c09753b5103e86e32c2d8086dd1399f0d97a00e1525ec9c390067cdb242ba

14b6f5c640c73cdd99e5834e7a56ab3d2912abe623bf5e41946154dad69e5f26

2cc19691e4cd643377a2553ff665799c66b3aff324ac544e9a9d8c4cb623ae94

Attack Patterns

Rilide Stealer

LummaStealer

LegionLoader

Raccoon

Stealc

Rhadamanthys

T1574.002

T1218.007

T1059.001

T1071.001

T1036.005

T1140

T1566