ESET discovers malware using a novel installation technique previously unseen in the wild

ESET researchers have discovered a new downloader with several stages and many nontraditional techniques that registers itself as a default print monitor. They named it DePriMon.

ESET researchers, investigating a cyberattack with targets in the Middle East, discovered a technically interesting downloader. Among many of its nontraditional techniques, one stands out: The malware registers a new local port monitor under the name “Default Print Monitor.”

This earned the downloader the name DePriMon. Due to DePriMon’s complexity and modular architecture, ESET researchers consider it a framework.

According to ESET telemetry, the DePriMon malware has been active since at least March 2017. It was detected in a private company based in Central Europe, and on dozens of computers in the Middle East. In a few cases, DePriMon was detected along with the ColoredLambert malware, which is known to be used by the Lamberts cyberespionage group (also known as Longhorn) and linked to the Vault 7 leak.

ESET researchers find DePriMon to be an unusually advanced downloader whose developers put extra effort into setting up its architecture and crafting the critical components. Thus, it deserves attention beyond its targets’ limited geographical distribution and possible relation to an infamous cyberespionage group.

DePriMon is downloaded to memory and executed directly from there as a DLL file using the reflective DLL-loading technique; it is never stored on the disk. It has a surprisingly extensive configuration file with interesting elements, its encryption is properly implemented, and it protects its C&C communication effectively. As a result, DePriMon is a powerful, flexible and persistent tool designed to download a payload and execute it, and to collect some basic information about the system and its user along the way.

To help defenders stay safe from this threat, ESET researchers have thoroughly analyzed this newly discovered malware, focusing on its installation technique, which has been categorized in the MITRE ATTACK knowledgebase as “Port Monitors,” under both Persistence and Privilege Escalation tactics.

As the MITRE ATT&CK knowledgebase doesn’t list any real-world example of this technique, ESET researchers believe that DePriMon is the first example of the “Port Monitors” technique ever publicly described.