DeerStealer Malware Campaign: Stealth, Persistence, and Rootkit-Like Capabilities

MITRE Techniques

• [T1566 ] Phishing / drive-by – Delivery via deceptive ZIP archive and malicious installer masquerading as legitimate software: ‘delivered as a ZIP archive containing PE files… disguising itself as legitimate software.’
• [T1189 ] Drive-by Compromise – Use of malicious installer in a seemingly benign download package: ‘delivered as the fake document reader update package.’
• [T1204 ] User Execution – Requires user to run the installer/ZIP contents: ‘masquerading as the legitimate software to trick users into execution.’
• [T1059 ] Command and Scripting Interpreter – Uses msiexec.exe custom actions to execute embedded malicious payloads: ‘msiexec.exe triggers its custom action, which copies and executes Jc6716jK… as Grid-Electr.exe.’
• [T1053.005 ] Scheduled Task – Persistence via creation of scheduled tasks like zceWriter, dyApp, Pluginsecurity_dbg: ‘creates and writes to the zceWriter.job file in the C:WindowsTasks directory.’
• [T1036 ] Masquerading – Uses legitimate Adobe installer and signed binaries as decoys: ‘drops Reader_en_install.exe… the legitimate Adobe Acrobat Reader installer… used as a deception.’
• [T1070.004 ] Signed Binary Proxy Execution – Uses signed executables and DLLs (stolen certificates) to run malicious code: ‘signed with a valid digital certificate that appears to have been stolen from the issuing organization.’
• [T1027 ] Obfuscated Files or Information – Contains obfuscated files (Reasqueer.efi, Clortkead.ze) and obfuscated scheduled task content: ‘Reasqueer.efi and Clortkead.ze contain obfuscated content… The content of the zceWriter.job file is obfuscated.’
• [T1014 ] Rootkit – Rootkit-like behavior hides payloads in memory (C6E653E.tmp) to evade user-mode tools: ‘hidden by the user-level process and cannot be accessed using standard user-mode tools… indicates rootkit-like capabilities.’
• [T1497 ] Virtualization/Sandbox Evasion – Uses checks/techniques to avoid analysis environments (noted as sandbox evasion techniques in behavior): ‘Virtualization/Sandbox Evasion’ listed among evasion methods.
• [T1082 ] System Information Discovery – Collects system and installed software information for reconnaissance: ‘steals system info… installed software.’
• [T1087.001 ] Account Discovery – Gathers local account information as part of collection: ‘Local Account’ listed under discovery techniques.
• [T1217 ] Browser Credential Discovery – Harvests browser data and credentials: ‘web browser data’ targeted for theft.
• [T1673 ] Virtual Machine Discovery – Performs VM checks to evade sandbox/analysis: ‘Virtual Machine Discovery’ included in discovery techniques.
• [T1005 ] Data from Local System – Collects local files and artifacts such as Office files, media, OneDrive: ‘Steals… Office files, OneDrive…’
• [T1056 ] Input Capture – Captures input or credentials from applications and services: ‘Input Capture’ listed under collection techniques.
• [T1041 ] Exfiltration Over C2 Channel – Exfiltrates harvested data to C2 domains like telluricaphelion[.]com: ‘harvested data is subsequently exfiltrated to the C2 server at telluricaphelion[.]com.’
• [T1001 ] Data Obfuscation – Uses obfuscation/encryption when communicating or storing data to evade inspection: ‘Data obfuscation’ cited as an adaptive technique for C2 and payloads.
• [T1548.002 ] Bypass User Account Control – UAC bypass via auto-elevated COM object (ICMLuaUtil) to run elevated processes without prompt: ‘leveraged a trusted, auto-elevated COM object (ICMLuaUtil) via DllHost.exe to execute Reader_en_install.exe without triggering a User Account Control (UAC) prompt.’