The newly discovered Legion Loader infects computers with a huge quantity and variety of malware, making it a serious threat.

A newly discovered malware dropper known as the Legion Loader has been dubbed « a hornet’s nest » of malware by the Deep Instinct researchers that discovered it.

Legion Loader is a dropper, which exists to infect computers and install additional malware on them. Droppers aren’t uncommon, but Legion Loader has a particularly nasty arsenal to play with and is designed to install two to three different hardcoded malware executables out of its list of malicious code.

Many of the malware executables Legion installs are run-of-the-mill dangers available through malware black markets, like Vidar, Predator the Thief, and Racoon stealer, but it isn’t those that are the real danger: It’s a couple baked-in attacks that come with the initial install of Legion.

Legion’s big threats: Crypto theft, credential grabbing, and RDP backdoors

Legion’s first act is to contact its command and control (C&C) server to make contact and download its initial malware. After it downloads those two or three hardcoded programs, it goes to work installing the real nasty stuff.

First up, Legion uses an obfuscated Powershell script to scan the infected computer for any evidence of a cryptocurrency wallet or stored credentials for any cryptocurrency websites. If either is found Legion downloads two things: A cryptocurrency stealing program to extract wallet info, and a web browser credential stealer that will snag the login information for crypto websites.

The last part of Legion’s nasty arsenal of malware is an RDP backdoor that gets installed at the same time as the crypto and password stealing code, registers itself as a system service, and waits for an attacker to use it to gain access.

How to combat threats like Legion

As with all malware threats, it’s essential to practice good cybersecurity hygiene, especially in large organizations that can be made vulnerable by the mistakes of individual employees.

In the case of the Legion Loader, make sure your firewall is set up to block connections to specific domains–Deep Instinct has provided a list of domains associated with Legion, so add those to your blacklist right away.

Along with strengthening your firewall, be sure that users aren’t able to download and install apps without permission, make sure they’re regularly changing passwords, and ensure two-factor authentication is used whenever possible. 

Legion Loader, its discoverer’s said, « is a classic case-in-point of how even a relatively low-sophistication malware can become a security nightmare for an organization. » Much of what it does is unsophisticated and easily detected, but it’s up to cybersecurity teams to set up rules that allow it, and other malware loaders like it, to be caught in the first place.