An unknown threat actor was observed using a “complex, powerful” malware loader to deploy cryptocurrency miners onto compromised systems. This could potentially facilitate the theft of Discord tokens.
“The evidence found on victim networks appears to indicate that the goal of the attacker was to install cryptocurrency mining software on victim machines,” researchers from the Symantec Threat Hunter Team, part of Broadcom Software, said in a report shared with The Hacker News.
” This would seem to be an attractive goal to the attacker considering the amount of work required to create this advanced malware. “
The sophisticated malware, dubbed Verblecon, is said to have been first spotted in January 2021, with the payload incorporating polymorphic qualities to evade signature-based detections by security software.
The loader also performs additional anti-analysis checks in order to identify if the system is currently being debugged, opened in virtual, or sandboxed environments, and then copies itself to the machine. Next, it connects to remote servers to obtain an encrypted blob containing a URL. This URL can be used to retrieve miner payloads.
” The activity that we saw using this loader suggests that someone may be using it to execute malware,” researchers said.
” However, this loader could be exploited for ransomware or espionage by a sophisticated attacker if they were to get it. “