ThreatSTOP Blog

Dimnie: Targeting the Unexpected

Written by ThreatSTOP Security Team | April 26, 2017

 

GitHub is a platform used to share any type of code. For this reason, it’s an important part of research and information sharing within the cyber security field. Because it’s a part of this environment, it’s inevitable that malicious actors will try to infect users’ platforms with malware.

In the past, there were several publications of malware code later used for active malicious campaigns. For example, Mirai was used for large scale attacks shortly after the code was disclosed.

In March 2017, Palo Alto Networks published a case revolving around GitHub. Here, GitHub users were targeted by phishing e-mails with job opportunities. Opening the attachment resulted in downloading the Dimnie malware.

This malware differs by targets, methods and communication to command and control servers. For example, each module is injected into the memory of core Windows processes, causing the analysis to become more complex.

Dimnie's connection to the command and control server is over HTTP protocol, but not used in an ordinary way. These connections use a specific feature of the HTTP protocol, Request-URI, to disguise the malicious connection with an inactive, valid service, such as "toolbarqueris.google[.]com".

The capabilities of this malware include information disclosure, keylogging, screenshots and smartcard interaction.

 

ThreatSTOP IP Firewall Service and DNS Firewall Service protect against Dimnie’s latest campaign when TSCritical targets are enabled.