An unidentified threat actor has been observed employing a “complex and powerful” malware loader with the ultimate objective of deploying cryptocurrency miners on compromised systems and potentially facilitating the theft of Discord tokens.
“The evidence found on victim networks appears to indicate that the goal of the attacker was to install cryptocurrency mining software on victim machines,” researchers from the Symantec Threat Hunter Team, part of Broadcom Software, said in a report shared with The Hacker News.
“This would appear to be a relatively low-reward goal for the attacker given the level of effort that would have been required to develop this sophisticated malware.”
The sophisticated malware, dubbed Verblecon, is said to have been first spotted in January 2021, with the payload incorporating polymorphic qualities to evade signature-based detections by security software.
In addition, the loader carries out further anti-analysis checks to determine if it’s currently being debugged or opened in a virtual or sandboxed environment, before proceeding to copy itself into the machine and connecting to a remote server to retrieve an encrypted blob that contains a URL, which is then used to fetch miner payloads.
“The activity we have seen carried out using this sophisticated loader indicates that it is being wielded by an individual who may not realize the capabilities of the malware they are using,” the researchers pointed out.
“However, if it fell into the hands of a more sophisticated actor the potential is there for this loader to be used for more serious attacks, including potentially ransomware and espionage campaigns.”