Kerrdown

KerrDown is a custom downloader malware family that has been actively employed by the cyber-espionage group OceanLotus since early 2018. The malware is designed to exploit and damage computer systems, with its delivery primarily facilitated through active mime documents - a method previously observed in OceanLotus campaigns. Two methods were identified for delivering the KerrDown downloader to targets: one where only the KerrDown DLL downloader is saved in the system and the payload gets executed directly in memory without being written in the system, and another where .exe files mimicking Windows Word are used, with the associated 'wwlib.dll' file acting as the malicious downloader DLL KerrDown, which is sideloaded when the .exe file gets executed. The Jaccard-index algorithm was utilized to quickly find similarities within the new KerrDown malware family across various datasets. This analysis allowed for the identification of patterns in OceanLotus’ operational hours and days of the week. During the investigation, multiple RAR files containing variants of the KerrDown malware were found. Depending on the operating system architecture, either of the embedded KerrDown DLLs would be dropped into the victim's machine. Furthermore, the link to the final payload of KerrDown was still active during the time of analysis, enabling the download of a copy which turned out to be a variant of Cobalt Strike Beacon. The continual development and employment of new tools and techniques in OceanLotus' operations and playbooks were evident with the emergence of the KerrDown downloader in their recent campaigns. The findings from the KerrDown investigation provided valuable insights into the likely new malware family being employed by the OceanLotus group at the time of analysis. AutoFocus tags were made available for additional context, providing further information on both OceanLotus and KerrDown.