RobotDropper Automates the Delivery of Multiple Infostealers

Nov. 26, 2024, 9:38 p.m.

Description

A phishing campaign is distributing Trojanized MSI files that use DLL sideloading to execute LegionLoader, a malicious program that delivers multiple infostealers. The campaign is widespread, with over 400 unique malicious MSI files identified since June 2024. Victims are targeted globally through links from .monster domains forwarded to cloud providers. The attack chain involves downloading a ZIP file containing a malicious MSI, which retrieves a password from a C2 server to unpack a RAR file and extract a malicious DLL. LegionLoader then downloads various infostealers and communicates with multiple domains. The infrastructure heavily utilizes Cloudflare, making tracing difficult. Mitigation involves sourcing software from legitimate sources, keeping systems updated, and using reputable antivirus software.

External References

https://blogs.blackberry.com/en/2024/11/robotdropper-automates-delivery-of-multiple-infostealers
https://otx.alienvault.com/pulse/67463ca7f16a3a79166f6029
Tags
phishing
infostealer
dll sideloading
2024-11-26
legionloader
robotdropper

Date

  • Created: Nov. 26, 2024, 9:24 p.m.
  • Published: Nov. 26, 2024, 9:24 p.m.
  • Modified: Nov. 26, 2024, 9:38 p.m.

Indicators

  • cybercrime_robotdropper_msi
  • a970226823fe040895e40b04bfc56b871c0450c2107594f42109f46f48b5e972
  • 0a0c09753b5103e86e32c2d8086dd1399f0d97a00e1525ec9c390067cdb242ba
  • 14b6f5c640c73cdd99e5834e7a56ab3d2912abe623bf5e41946154dad69e5f26
  • 2cc19691e4cd643377a2553ff665799c66b3aff324ac544e9a9d8c4cb623ae94
Download all indicators here!

Attack Patterns

  • Rilide Stealer
  • LummaStealer
  • LegionLoader
  • Raccoon
  • Stealc
  • Rhadamanthys