A new malicious downloader dubbed “DePriMon” registers itself as fake Windows Default Print Monitor to achieve persistence and to execute commands as a SYSTEM user.
The DePriMon malware found to be active at least from March 2017, it was detected first in a private company based in Central Europe. It is well-written malware and the malware authors use various encryption techniques which make the analysis more difficult.
According to ESET analysis, the malware is multi-staged, the first stage and the distribution method of the malware remain unknown at the time of writing.
The port monitor is a DLL that registers itself under SYSTEM level permissions as a printer. It performs various tasks such as printing a document or saving the PDF file.
The second stage registers the third-stage DLL with the following registry key and value
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\Windows Default Print Monitor
Driver = %PathToThirdStageDLL%
This registered DLL loaded by spoolsv[.]exe and executed with SYSTEM privileges at the time of system startup. It also checks the file in %system32% that the file name is the same as the third stage DLL.
Third stage malware is responsible for downloading the main payload from DePriMon’s operators. Communication with C&C server established through SSL/TLS, Secure Channel.
For making the analysis difficult the malware authors store the encrypted configuration file in a temporary folder.
DePriMon gets downloaded to memory and executed directly by using the DLL loading technique and it never stores on the disk. It is a powerful and persistent tool used to download other malware.