PindOS JavaScript Dropper Distributes Bumblebee and IcedID Malware

PindOS JavaScript Dropper

Deep Instinct specialists spoke about a new JavaScript dropper called PindOS (such a “self-name” was found in the malware code and, based on slang signs, it can be assumed that it is of Russian origin). This malware is used to deliver additional payloads to infected systems, namely Bumblebee and IcedID.

PindOS JavaScript Dropper code
Code of the dropper’s PE

PindOS Dropper is Used to Deliver Bumblebee and IceID

The researchers recall that Bumblebee and IcedID serve as downloaders, acting as a vector for other malware to enter compromised hosts (including ransomware). So, in a recent report by Proofpoint, it was reported that the developers of IcedID decided to abandon the functions of the banking Trojan that the malware previously had in order to fully focus only on malware delivery.

The campaigns used a variety of email attachments, such as Microsoft OneNote attachments, while URL attachments were quite rare, resulting in a forked variant of IcedID.Proofpoint researchers

In turn, Bumblebee replaced the BazarLoader, which was previously associated with the activity of the now defunct TrickBot and Conti hacker groups (for example, we reported about Conti gang shutdown, and about sanctions on TrickBot masters from UK and US governments.

Deep Instinct researchers write that they found comments in Russian in the PindOS source code, and believe that this indicates the likely development of partnerships between various criminal groups.

It is not yet clear if Bumblebee and IcedID carriers will use it. If the experiment proves successful for the operators of both of these malicious companions, PindOS could become a permanent tool in their arsenal and gain popularity among other attackers.analysts.

In general, experts describe PindOS as a “surprisingly simple” downloader designed to download malicious executable files from a remote server. The malware uses two URLs, one of which is a fallback one in case the first URL fails to get the DLL payload. As a result, DLLs are launched using rundll32.exe.

PindOS Dropper C2 call

PindOS Dropper C2 call
Examples of the command server calls performed by the PindOS dropper
The extracted payload is generated pseudo-randomly, on-demand, which leads to the creation of a new hash each time the payload is retrieved.the experts note.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *