Threat Report: What is the down_new Malware and How Does it Work?

down_new is a downloader malware used by the threat group Bronze Butler and has various capabilities, including the ability to base64 encode C2 communications, detect anti-virus products and processes, download files, list the directories on a compromised host, identify the MAC address of a compromised host, and gather information about installed applications.

down_new Malware Capabilities

Down_new may use a number of methods to avoid detection and to gain information about potential targets, including encoding data with a standard data encoding system, communicating using application layer protocols, and enumerating files and directories. Once present on a system, down_new may also transfer tools or other files between victim devices.

• The malware known as down_new may use various methods in order to avoid detection and blend in with normal network traffic. These methods include data encoding, application layer protocols, and process discovery. By doing this, down_new can gain a better understanding of the systems it is targeting and what actions to take next.
• The down_new malware may attempt to discover security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. It may use this information to determine whether or not to fully infect a target and/or what specific actions to take. The down_new malware may also transfer tools or other files from an external system into a compromised environment. Once present, the malware may spread to other devices within the environment. Finally, the down_new malware may enumerate files and directories or search for specific information within a file system.
• The down_new malware may employ various methods to gather information about the systems it accesses, including network configuration and settings. It may also use information discovery to shape follow-on behaviors. In addition, down_new may employ a known symmetric encryption algorithm to conceal command and control traffic.

Ways to Mitigate down_new Malware Attacks Capabilities

• The best way to mitigate down_new malware attacks is to analyze network data for uncommon data flows, and to process packet contents for any communications that do not follow expected protocol behavior. Additionally, system and network discovery techniques should be used to identify any potential anomalies that could be indicative of malicious activity.
• down_new can be mitigated by monitoring for file creation and unusual process with external network connections. It also advises that system and network discovery techniques should be used to identify potential attacks.
• down_new malware attacks can be mitigated by looking at data and events as part of a chain of behavior, rather than in isolation. Additionally, symmetric encryption may be used to decode network traffic and detect malware communications signatures.