LegionLoader Malware Expands Global Reach

Threat Group: Unknown
Threat Type: Downloader Malware
Exploited Vulnerabilities: Various, including drive-by downloads and malicious browser extensions
Malware Used: LegionLoader (also known as Satacom, RobotDropper, CurlyGate)
Threat Score: High (8.5/10) – Due to its evolving capabilities, use of legitimate platforms for distribution, and focus on cryptocurrency theft.
Last Threat Observation: February 10, 2025

Overview

LegionLoader, first identified in 2019, is a downloader malware known for delivering a variety of malicious payloads, including infostealers, ransomware, and cryptocurrency miners. Over the years, it has evolved to employ sophisticated techniques to evade detection and compromise systems. Recent campaigns have highlighted its focus on cryptocurrency theft through malicious browser extensions and its use of legitimate cloud services for payload distribution.

Key Details

• Delivery Method: Drive-by downloads from compromised or malicious websites, often masquerading as legitimate software installers.
• Target: Primarily cryptocurrency users, but also various industries and geographic locations.
• Functions:
  • Deploys malicious Chrome extensions capable of manipulating emails and monitoring browsing activity.
  • Transforms compromised browsers into HTTP proxies, allowing attackers to browse the web authenticated as the victim.
  • Captures screenshots of active browser tabs.
  • Manages requests to access and update balances for platforms like Facebook, Coinbase, and Google Pay.
  • Performs financial actions, such as withdrawing cryptocurrency funds.
• Obfuscation: Utilizes multiple layers of encryption and process injection techniques to evade detection.

Attack Vectors

LegionLoader employs several methods to compromise systems:

1. Drive-by Downloads: Users are tricked into downloading fake installers from websites that mimic legitimate software portals. These installers often contain malicious payloads.
2. Malicious Browser Extensions: After initial infection, LegionLoader installs malicious extensions in Chromium-based browsers (e.g., Google Chrome, Brave, Opera). These extensions communicate with command-and-control (C2) servers to perform web injections, particularly targeting cryptocurrency websites.
3. Cloud Services Abuse: LegionLoader has been observed using cloud services like MEGA and Google Drive to host and distribute its payloads, leveraging the trust associated with these platforms to bypass security measures.
4. Phishing Attacks: Emails containing malicious attachments or links trick users into executing LegionLoader payloads.
5. Process Injection: Uses techniques such as process hollowing to hide its execution inside legitimate processes.
6. Exploiting Vulnerabilities: Targets known security flaws in operating systems and applications to gain access.

Geographic Distribution and Targeted Industries

Recent campaigns suggest a shift in LegionLoader’s geographic focus. Infections have been reported in:

• North America
• Europe
• Brazil
• Algeria
• Turkey
• Vietnam
• Indonesia
• India
• Egypt
• Mexico

Industries affected include:

• Cryptocurrency users: Users of exchanges like Coinbase, Bybit, KuCoin, Huobi, and Binance.
• Financial services: Banks and fintech companies dealing with cryptocurrency transactions.
• Government organizations: Entities targeted for espionage and data theft.

Known Indicators of Compromise (IoCs)

As this list of IoCs is large, we have put them on their own page here.

Mitigation and Prevention

1. User Awareness: Educate users about the risks of downloading software from untrusted sources and drive-by downloads.
2. Email Filtering: Implement email security measures to detect phishing attempts.
3. Antivirus Protection: Use up-to-date antivirus solutions capable of detecting LegionLoader.
4. Two-Factor Authentication (2FA): Enforce 2FA on all critical systems and financial accounts.
5. Monitor Logs: Continuously monitor system logs for unusual behavior linked to LegionLoader activity.
6. Regular Updates: Patch all software and operating systems to prevent exploitation of known vulnerabilities.

Risk Assessment

Impact: High

• Confidentiality: Can steal sensitive user credentials and cryptocurrency wallets.
• Integrity: Alters web browser functionality and injects malicious extensions.
• Availability: May deliver ransomware payloads, rendering systems inaccessible.

Likelihood: High

• Continuous evolution and ability to evade detection increase the probability of infection.
• Use of legitimate cloud services makes traditional security solutions less effective.

Conclusion

LegionLoader is a persistent and evolving malware threat that poses significant risks to individuals and organizations. Its ability to deliver various malicious payloads, evade detection through encryption and process injection, and target different industries makes it a serious concern for cybersecurity professionals. The malware's use of cloud services to deliver encrypted payloads further complicates detection and highlights the evolving tactics employed by threat actors.

Recent campaigns indicate a potential shift in LegionLoader's geographic focus, with increased activity observed in South America and Southeast Asia, particularly targeting cryptocurrency users. This targeted approach emphasizes the need for individuals and organizations involved in cryptocurrency transactions to be extra vigilant and implement robust security measures.

The evolving nature of LegionLoader and its ability to adapt to new environments and security measures underscore the importance of proactive monitoring, robust security practices, and continuous threat intelligence gathering. Security professionals should prioritize staying informed about the latest news, IoCs, and attack techniques associated with LegionLoader to effectively defend against and mitigate this evolving threat. By understanding the malware's behavior, distribution methods, and targeted industries, organizations can better protect their systems and data from this persistent and dangerous malware.

Sources

• TEHTRIS Blog: LegionLoader Exposed
• Deep Instinct: Untangling Legion Loader’s Hornet Nest of Malware
• PC Risk: How to prevent Legion Loader from causing system damage
• AlienVault: Indicators Of Compromise