NeedleDropper is a multi-file dropper observed since October 2022 that uses a self-extracting archive to deliver and execute payloads, hiding activity with junk data and leveraging legitimate applications. It is sold as a service on hacking forums and has blocked over 30,000 attack attempts against Avast and AVG customers. #NeedleDropper #Avast #AVG #Discord #OneDrive #CVE2017_11882
Keypoints
- NeedleDropper is a multi-file dropper active since Oct 2022, distributed as a service on hacking forums and used to conceal final payloads.
- It relies on a self-extracting archive containing a modified AutoIt interpreter, obfuscated AutoIt script, and Visual Basic script for initial execution.
- The dropper extracts to a newly created directory in the user’s Temp folder and hides SFX commands inside unused text, ignoring invalid commands.
- Configuration is stored in an INI file with decoy lines; key values control final payload decryption, persistence, anti-analysis, and execution flow.
- Persistence is implemented via the Run registry key (SOFTWAREMicrosoftWindowsCurrentVersionRun) based on the current user privileges.
- The infection chain often starts with spam email attachments (encrypted 7z or Excel documents) or links from Discord/OneDrive, delivering the dropper to victims.
- Payload decryption uses CryptoAPI with an MD5-derived key; it injects into RegSvcs.exe via WriteProcessMemory after spawning the process in a suspended state.
- Avast/AVG observed and blocked over 30,000 NeedleDropper attack attempts across customers.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – The malware uses a VBS script and a modified AutoIt interpreter for initial execution. “The initial VBS script contains multiple lines of comments… The script launches a modified AutoIt interpreter with an LXA file as an argument.”
- [T1027] Obfuscated/Compressed Files and Information – Code is hidden inside a large number of unused text lines and SFX commands are embedded in the payload, with invalid strings ignored. “The snippet below shows SFX commands (lines 4, 8, 12, 16) being hidden inside the unused text, invalid commands strings will be ignored and only the valid commands will be executed by a SFX archive.”
- [T1547.001] Registry Run Keys/Startup Folder – The malware persists by registering under the Run key: “StartUps – if not empty, malware will register NeedleDropper’s persistence under SOFTWAREMicrosoftWindowsCurrentVersionRun registry key based on the current user’s privileges.”
- [T1055.012] Process Injection – The payload is injected into RegSvcs.exe using WriteProcessMemory after spawning it in a suspended state. “The malware uses CryptoAPI to decrypt the final payload… spawns RegSvcs.exe in a suspended state and injects the payload via WriteProcessMemory, and resumes the suspended process…”
- [T1566.001] Phishing: Attachment – Delivery is primarily via spam email attachments, often encrypted 7z files or as part of a larger infection chain starting with an Excel document. “The dropper is primarily delivered via spam email attachments… encrypted 7z file, or is part of a bigger infection chain starting with an Excel document.”
Indicators of Compromise
- [SHA256] NeedleDropper binaries – 660eb5f2811753c24ecbd5c0e08c68d83d7eca1b2827ed90e2a5189ed61f3a5b, f7e52f120ab257e0d8e5021077b3370876be16469b76b6e0b6916486b3977bb3, 06b02574925948a3f418ba2851f10585086a5f9b25d8f4e7de62dd52c6a56153, e53e5e07b3165f507046c5992049a816bdd98969f10cc97a3d2bd010aea30b42, 1b26f3213c07819cd61ed5e10b009ae5862cade4a3a403dcc6f6310485f6306b
- [SHA256] Configuration file and related artifacts – 1d3078201c04bebc6595a2cc874530f1c2a5ff7201db4c8e43660808563c5a63, dd7acb0d5e05d581148b614816f5450690f3fcc8ba4b3f00b5db1f3684570053, 8713d873a8f4179a4079ea46a6ae45a538dc2f07cf7b09f28adc25eec45dc873
- [SHA256] Spam email indicator – 01534a0f3e104b7cbafeeeaac3a0f0bf9d01e017c8a63964d81d0a30baee2916
Read more: https://decoded.avast.io/threatresearch/needledropper/