A new malicious downloader dubbed “DePriMon” registers itself as fake Windows Default Print Monitor to achieve persistence and to execute commands as a SYSTEM user.
The DePriMon malware found to be active at least from March 2017, it was detected first in a private company based in Central Europe. It is well-written malware and the malware authors use various encryption techniques which make the analysis more difficult.
According to ESET analysis, the malware is multi-staged, the first stage and the distribution method of the malware remain unknown at the time of writing.
The second stage of the malware loads the third stage of the malware downloader using an encrypted, hardcoded path. The second stage of the malware registers the third-stage DLL as a port monitor.
The port monitor is a DLL that registers itself under SYSTEM level permissions as a printer. It performs various tasks such as printing a document or saving the PDF file.
The second stage registers the third-stage DLL with the following registry key and value
HKLMSYSTEMCurrentControlSetControlPrintMonitorsWindows Default Print Monitor
Driver = %PathToThirdStageDLL%
This registered DLL loaded by spoolsv[.]exe and executed with SYSTEM privileges at the time of system startup. It also checks the file in %system32% that the file name is the same as the third stage DLL.
Third stage malware is responsible for downloading the main payload from DePriMon’s operators. Communication with C&C server established through SSL/TLS, Secure Channel.
For making the analysis difficult the malware authors store the encrypted configuration file in a temporary folder.