A new malicious downloader dubbed “DePriMon” registers itself as fake Windows Default Print Monitor to achieve persistence and to execute commands as a SYSTEM user.
According to ESET analysis , the malware is multi-staged, the first stage and the distribution method of the malware remain unknown at the time of writing.
The second stage of the malware loads the third stage of the malware downloader using an encrypted, hardcoded path. The second stage of the malware registers the third-stage DLL as a port monitor .
The second stage registers the third-stage DLL with the following registry key and value
This registered DLL loaded by spoolsv[.]exe and executed with SYSTEM privileges at the time of system startup. It also checks the file in %system32% that the file name is the same as the third stage DLL.
For making the analysis difficult the malware authors store the encrypted configuration file in a temporary folder.
DePriMon gets downloaded to memory and executed directly by using the DLL loading technique and it never stores on the disk. It is a powerful and persistent tool used to download other malware.
wells fargo fullz unicc onion