Threat Research

Verblecon: Sophisticated New Loader Used in Low-level Attacks

Securonix

Symantec tracks a new loader called Verblecon (Trojan.Verblecon) used in low-reward attacks to install cryptocurrency miners and potentially steal Discord access tokens, with greater danger if leveraged in ransomware or espionage. First spotted in January 2022, Verblecon is a server-side polymorphic JAR that is heavily obfuscated and includes anti-analysis checks before deployment. hashtags #Verblecon #Discord #CryptocurrencyMining

Keypoints

  • Verblecon is a server-side polymorphic JAR loader used in crypto-mining campaigns and possibly Discord token theft.
  • The samples are fully obfuscated, suggesting strong evasion and anti-analysis factors.
  • It requires command-line arguments to execute and is launched via Java (javaw.exe -jar …).
  • It performs extensive anti-analysis checks to detect debuggers, virtualization, and sandbox environments.
  • It enumerates processes, checks for virtualization tools/files, and queries the registry as part of environment discovery.
  • On success, it copies itself to multiple locations and creates a persistence loadpoint (macOS Launch Agents or Windows Scheduled Tasks).
  • It periodically connects to two C2 domains, including a domain generated by a DGA method.

MITRE Techniques

  • [T1059.007] Java – The loader is executed via Java runtime (javaw.exe -jar payload). Quote: “”CSIDL_SYSTEM_DRIVEprogram filesjavajre1.8.0_301binjavaw.exe” -jar “CSIDL_PROFILEappdatalocaltemprpvbh.jar” masonkhonsari”
  • [T1027] Obfuscated/Compressed Files or Information – The samples analyzed by Symantec were fully obfuscated, in the code flow, strings, and symbols. Quote: “The samples analyzed by Symantec were fully obfuscated, in the code flow, strings, and symbols.”
  • [T1497.001] Virtualization/Sandbox Evasion – Anti-analysis checks for virtualization/sandbox environments. Quote: “Next, it attempts to detect if it is being opened in a virtual or sandbox environment, which would indicate it is likely being opened on a security researcher’s machine.”
  • [T1012] Registry – Registry query checks are performed. Quote: “reg query “HKUS-1-5-19″”
  • [T1057] Process Discovery – The malware lists running processes (tasklist). Quote: “Following those checks, it executes the following command to obtain a list of running processes: tasklist.exe /fo csv /nh”
  • [T1083] File and Directory Discovery – It checks for a large set of VM/VMware/VirtualBox related files and directories. Quote: “It also checks for the following files: …VBoxGuest.sys …VBoxVideo.sys …VBoxTray.exe”
  • [T1547.001] Launch Agents – On macOS, it may create a Launch Agent as a loadpoint. Quote: “and then create one of the following files to use as a loadpoint: “%HOMEPATH%LibraryLaunchAgents[INFECTION_ID].plist””
  • [T1053.005] Scheduled Task – Windows persistence via a loadpoint. Quote: “And then create one of the following files to use as a loadpoint: “%Windows%System32Tasks[INFECTION_ID]””
  • [T1568.002] Domain Generation Algorithms – DGA used to generate C2 domains. Quote: “[DGA_NAME] is apparently generated using the following method:”
  • [T1071.001] Web Protocols – C2 communications over web protocols to reach C2 domains. Quote: “periodically attempts to connect to the following URLs: hxxps://gaymers[.]ax/ and hxxp://[DGA_NAME][.]tk/”””

Indicators of Compromise

  • [Domain] gaymers.ax – C2 domain contacted by the loader for commands and updates. – gaymers.ax
  • [Domain] [DGA_NAME].tk – DGA-generated domain used for fallback/C2. – [DGA_NAME].tk
  • [File] %ProgramData%[INFECTION_ID][INFECTION_ID].jar – Infected loader copy location. – example
  • [File] %ALL_USERS_HOME%[INFECTION_ID][INFECTION_ID].jar – Infected loader copy location. – example
  • [File] %LOCALAPPDATA%[INFECTION_ID][INFECTION_ID].jar – Infected loader copy location. – example
  • [User] WDAGUtilityAccount – potential sandbox/VM check target user. – WDAGUtilityAccount
  • [User] hal-* – potential sandbox/VM check target users. – hal-*
  • [Registry] HKUS-1-5-19 – registry query performed as part of checks. – HKUS-1-5-19
  • [File] windanr.exe – example file checked in environment discovery. – windanr.exe
  • [File] VBoxMouse.sys, VBoxGuest.sys, VBoxVideo.sys, VBoxDisp.dll – VirtualBox-related drivers/files checked. – VBoxMouse.sys, VBoxGuest.sys
  • [File] Desktopmoutonheart.wav – potential artifact discovered via user home path. – Desktopmoutonheart.wav

Read more: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/verblecon-sophisticated-malware-cryptocurrency-mining-discord

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint