Verblecon Malware

Details about a new powerful malware named Verblecon have been brought to light. The threatening strain was first detected by researchers back in January 2022. According to their findings, the threat actor currently using the Verblecon Malware as part of their attack operations, utilize only a small portion of the threat's capabilities. Indeed, despite having the capacity to perform numerous invasive actions on the breached devices, so far Verblecon was relegated to the role of a loader delivering crypto-mining payloads.

Technical Details

The Verblecon malware is Java-based and has polymorphic nature. This means that the code of the threat's payload looks different every time it is downloaded. Such sophisticated techniques are typically employed by threat actors involved in cyberespionage. Furthermore, the code flow, strings, and symbols of the threat are all fully obfuscated, making Verbelcon extremely stealthy.

The threat also performs several checks for virtualization and sandbox environments. It fetches a list of the currently running processes and matches against a predetermined selection of files known to be associated with virtual machine systems. If all checks are passed, the threat will continue with its execution by copying itself to a local directory such as %ProgramData%, %LOCALAPPDATA%, and Users.

Verblecon will attempt to establish contact with a Command-and-Control (C2) server periodically to obtain and deploy a new payload. The payload is obfuscated using similar techniques and also checks the environment for signs of virtualization. According to the researchers, the main task of the payload is to download and execute a binary file, which will subsequently be injected into %Windows%\SysWow64\dllhost.exe.

As we said, the current operations involving Verblecon do not exploit the threat's full capabilities and are limited to delivering mostly crypto-mining threats. There also are signs that the attackers are interested in obtaining victims' Discord tokens.