dmechant Malware

A potent info-stealer malware is being distributed via bait email messages carrying weaponized Word attachments. The lure emails pretend to be coming from a purchase manager about the details of a supposed order. The email urges the unsuspecting user to review the details contained in an attached Word file before confirming them. As is typically the case, the Word document has a corrupted macro inside it, that delivers a malware payload to the victim's system. The observed malware appears to be a unique creation that is not associated with any of the preestablished malware families. It acts as a crypto-wallet and credentials collector. The infosec researchers who first detected the threat named it the dmechant Malware.

A curious aspect of the campaign is that the contents of the Word document are written in Spanish entirely. If this means that the attackers are interested in Spanish-speaking countries predominantly or they have dedicated lure emails for different territories cannot be determined at the moment. The text itself pretends as if the contents of the Word document are unable to be displayed due to version incompatibility and instructs the potential victim to click on the 'Enable Content' button. Doing so will initiate the execution of the dmechant malware immediately. 

The Initial Stage of dmechant's Activity

The dmechant payload file is dropped on the compromised system as 'erbxcb.exe,' an executable that pretends to be a PDF document. Upon its execution, the payload performs several preparatory actions that serve to facilitate its true unsafe goals. For example, the payload generates a new folder on the system at '%AppData%\bplg' and then moves its main executable there. Then, it establishes a persistence mechanism by adding the copied file into the auto-run group of the system Registry. The malware also loads a decompressed file named %Temp%\ arwtfgxjpx80 into memory and calls a function tasked with its decryption. Afterward, the threat is capable of extracting an executable PE file entirely in memory.

The Information Collected by dmechant

The dmechant malware goes after a wide set of sensitive private information such as crypto-wallet addresses and account credentials. The threat appears to be interested in collecting profiles from the crypto wallets installed on the compromised device predominantly. It is equipped with ten predefined software instances that it searches for. The list includes  Zcash, Armory, Bytecoin, Jaxx Liberty, Exodus, Ethereum, Electrum, Atomic, Guarda and Coinomi. Whenever a suitable crypto-wallet is found, the threat proceeds to copy the entire folder containing the profile data and then drop it in its home folder at '%AppData%\Microsoft\Windows\Templates.' All collected information will be archived as a ZIP file and then exfiltrated to the attackers as an email attachment.

In addition, dmechant also tries to access credentials from a list of 28 predefined Web browsers. All found data will once again be moved to the home folder but this time saved inside a newly-generated file named 'credentials.txt.' Among the targeted browsers are Chrome, Vivaldi, Yandex, Opera, 360 Browser, Brave Browser, Kometa, Sputnik, Sleipnir 6, Edge Chromium and more. Apart from browsers, the dmechant malware also is capable of compromising software clients and collecting saved credentials. These include Outlook, CoreFTP, FileZilla, NordVPN, FoxMail, Thunderbird and more.