LegionLoader, a notorious C/C++ downloader malware that made its debut in 2019, has resurfaced with enhanced capabilities, now distributing various stealers through Chrome extensions since August 2024. The malicious Chrome extensions it deploys have the potential to carry out a plethora of nefarious activities, such as manipulating emails, monitoring browsing activities, and even repurposing infected browsers to serve as proxies for cybercriminals, granting them the ability to surf the web using the victim’s credentials.
The payloads delivered by LegionLoader include infamous threats like LummaC2, Rhadamanthys, and StealC, which leverage drive-by downloads and RapidShare services to disseminate their payloads hosted on MEGA. These payloads are equipped with advanced functionalities that allow LegionLoader to capture screenshots, manage cryptocurrency accounts, and conduct financial transactions surreptitiously.
During the execution of MSI files, LegionLoader sends crucial information like date, time, and product language to a server in order to retrieve the password needed to unlock the embedded ZIP archive, with the retrieved password also serving as part of the RC4 key. Furthermore, LegionLoader has evolved its side-loading technique by exploiting steamerrorreporter64.exe to facilitate the loading of a malicious vstdlib_s64.dll, replacing the previously employed rnp.dll and rnpkeys.exe methods.
In a bid to circumvent sandbox analysis, LegionLoader prompts for user interaction, likely triggering actions that necessitate human intervention. This suggests the presence of malicious components, such as a DLL file and dependencies, housed in the user’s AppData\Roaming folder, potentially for achieving persistence or evading detection.
To obfuscate its malicious payload, LegionLoader employs a multi-step encryption process involving Base64 encoding and RC4 algorithm encryption, dynamically generated by manipulating immediate constants and retrieving values from specific registry keys. The shellcode decryption is carried out using the XTEA algorithm with a key embedded within the shellcode itself, followed by injecting the decrypted payload into the explorer.exe process through process hollowing, incorporating CRC32-hashed API calls.
LegionLoader establishes communication with a hardcoded command and control (C2) server to receive configuration data, which is Base64-encoded and RC4-encrypted using a static key. The malware then sends GET requests to the C2 server, appending a randomly generated 16-character alphanumeric string to the ‘a’ parameter.
According to Trac-Labs, LegionLoader offers a host of configurable parameters in its configuration file for executing malicious payloads on compromised systems, including options for specifying the number of executions, encryption status, payload type (DLL, PowerShell), target country, and post-execution tracking mechanisms.
With its utilization of DNS requests to retrieve C2 addresses and its capability to decrypt data using a key stored in Chrome, LegionLoader poses a significant threat by downloading subsequent-stage payloads like LummaC2 and StealC, showcasing its sophisticated and agile nature in the realm of cyber threats.