StyleServ Malware Acts as Backdoor

StyleServ is classified as a backdoor-type malware, which falls into a category of malicious programs designed to prepare a system for further infiltration or execute a second stage of infection. While the precise purpose of StyleServ remains unclear at this time, it is highly probable that it serves as a preliminary tool for facilitating subsequent infections.

As previously mentioned, the exact functionality of StyleServ remains uncertain as of the time of this report. Nonetheless, it is likely that this malware is utilized to scan networks it has infiltrated, searching for information that can aid in advancing the attack, such as identifying existing vulnerabilities within the target.

It is crucial to emphasize that such tools are commonly employed in versatile, targeted attacks that depend on the specific target and its security vulnerabilities or lack thereof.

StyleServ infections are known to employ the DLL side-loading technique. This technique leverages the Windows DLL search order mechanism to exploit a legitimate program for executing a malicious payload, such as StyleServ.

This backdoor is employed in passive attacks that involve system monitoring, which can encompass activities like scanning for vulnerabilities and open ports. Some passive attacks require minimal interaction with the targeted system, while others engage in active reconnaissance. An example of the latter is port scanning, aimed at gathering information about how a network functions, with a focus on identifying potential weak points and pathways for deeper infiltration.

StyleServ's Mode of Operation

In StyleServ's infections, once the DLL is activated, it initiates five threads, each assigned to a different port. These threads periodically attempt to access a file named "stylers.bin" at 60-second intervals. The file's legitimacy is determined based on its availability and whether it meets certain criteria.

If the file is considered valid, it is used in network requests by the subsequent threads. The threads primarily serve as encrypted versions of "stylers.bin" and act as receptors for remote connections, monitoring network socket behaviors.

It's important to note that StyleServ exhibits a tenuous connection to the Cur malware group; a sample of this backdoor was provided by the same user who uploaded a variant of the CurLu loader. If the speculation regarding StyleServ's link to a CurLu infection is confirmed, it would establish a connection between StyleServ and the same threat actor using programs affiliated with the Cur malware family.