ALL YOUR IT. SIMPLIFIED.
Cybersecurity for middle market operations
Do you know what questions to ask when you're looking for an IT firm? We're here to help. Get the free guide delivered right to your inbox:
Since October 2022, researchers have been observing multiple malware types delivered via a new dropper strain that we are referring to as “NeedleDropper”. Its name references one of the ways the dropper stores data. NeedleDropper is not just a single executable, it carries several files which together create a malicious execution, extracting files to decrypt and inject malicious code.
Malware delivered via NeedleDropper is distributed through several methods and delivery methods, which fall into two main categories. The first category is a downloader, which is configured to download files from a remote location. The second category is a binary executable which executes from a hardcoded location in the dropper.
To create its malware, NeedleDropper uses a multi-stage encryption and decryption process that involves multiple stages for decrypting the payload and injecting it into any process it chooses. In this process, NeedleDropper uses two decryption algorithms: RC4 and AES.
NeedleDropper uses AES to encrypt and decrypt the malicious code itself. This is done by converting the original executable into a .NET assembly (EXE), which is decoded with AES, and then converted back into an executable file. Through an analysis of the execution of NeedleDropper on a test machine, several unusual behaviors were discovered, as well as some potential areas for Mitigation strategies.
EPICs Labs has been monitoring the deployment of NeedleDropper since October 2022. They began to observe a spike in its execution starting January 2023 when they started seeing a significant increase in the amount of malware samples being delivered through this method. This malware is relatively new and people are watching several previously UNIQUE droppers become part of the same family. This sample is distributed through different file transfer methods, but it uses an EXE dropper (EXE Dropper). The functionality of this EXE is to download other files, decompress them and run them with specific parameters.
