Home Malware Programs Trojans DePriMon

DePriMon

Posted: November 22, 2019

DePriMon is a Trojan downloader that installs threats associated with the Longhorn or Lamberts threat actors. Their attacks involve, typically, sophisticated means of establishing backdoors for collecting information from business and government networks. Users should have updated anti-malware programs on hand for deleting DePriMon, which uses advanced methods of evading all casual detection attempts.

Nothing to See Here Except a Default Printer Utility

Often at the forefront of Trojan espionage innovation, the threat actor referred to as either the Lamberts or Longhorn is, once again, featuring creativity in their cyber-spying campaigns. A recently-confirmed deliverer of backdoor Trojans and related utilities is a part of some of their last-analyzed attacks, with malware experts confirming targets in multiple regions in the world. Although DePriMon is a standard-purpose Trojan downloader, it leverages special techniques for getting to the point of downloading anything.

DePriMon's name comes from its Registry entry's disguised name of 'Windows Default Print Monitor,' which also keys into one of its more novel characteristics. The Trojan uses a corrupted port monitor registration with admin rights that it acquires through spoolsve.exe. The method of achieving persistence is highly unique for Trojan downloaders, especially, which typically show limited sophistication or creativity in their code.

DePriMon has as much effort put into its evasion techniques equally. It decrypts and re-encrypts relevant configuration data every time it requests it and uses reflective DLL loading for never writing itself onto the disk as a visible file or program. After performing all this work, its payload is installing threats from the Lambert family: a group of equally-advanced Trojans that sniff network data and provide command-based backdoors into infected systems.

Stopping Your Business from Printing Out Problems

Some of DePriMon's tactics are never-before-seen inclusions in a Trojan downloader, but the consequences of infections aren't unusual, especially. Attackers can gain control over networks for collecting information, accessing users' accounts, and making miscellaneous changes to files and settings. Previous campaigns by the Lambert threat actor also imply the possibility of state-sponsorship, with all the expected inclinations towards espionage.

Since DePriMon never resides on the disk and has no symptoms, workers should assume that they can identify it on sight. Users should emphasize updating software as an effective defense, due to many attacks involving DePriMon preferring exploits for out-of-date programs, such as executing code through a Windows server kernel-mode driver's failure at parsing a TrueType font. Unfortunately, zero-day, and therefore non-patchable, vulnerability usage also is a possibility.

Appropriately up-to-date anti-malware tools may identify and remove DePriMon, as well as threats associated with it, such as the many variants of the Lambert backdoor Trojans.

DePriMon is an exceptional specimen of its kind with clever ruses for evading both automatic and personal detection. While it lays claim to being the first Trojan downloader with its printer-based persistence methodology, copycats of DePriMon will follow in short order probably.

Loading...