Kerrdown

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
KerrDown is a custom downloader malware family that has been actively employed by the cyber-espionage group OceanLotus since early 2018. The malware is designed to exploit and damage computer systems, with its delivery primarily facilitated through active mime documents - a method previously observed in OceanLotus campaigns. Two methods were identified for delivering the KerrDown downloader to targets: one where only the KerrDown DLL downloader is saved in the system and the payload gets executed directly in memory without being written in the system, and another where .exe files mimicking Windows Word are used, with the associated 'wwlib.dll' file acting as the malicious downloader DLL KerrDown, which is sideloaded when the .exe file gets executed. The Jaccard-index algorithm was utilized to quickly find similarities within the new KerrDown malware family across various datasets. This analysis allowed for the identification of patterns in OceanLotus’ operational hours and days of the week. During the investigation, multiple RAR files containing variants of the KerrDown malware were found. Depending on the operating system architecture, either of the embedded KerrDown DLLs would be dropped into the victim's machine. Furthermore, the link to the final payload of KerrDown was still active during the time of analysis, enabling the download of a copy which turned out to be a variant of Cobalt Strike Beacon. The continual development and employment of new tools and techniques in OceanLotus' operations and playbooks were evident with the emergence of the KerrDown downloader in their recent campaigns. The findings from the KerrDown investigation provided valuable insights into the likely new malware family being employed by the OceanLotus group at the time of analysis. AutoFocus tags were made available for additional context, providing further information on both OceanLotus and KerrDown.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Kerrdown Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Tracking OceanLotus’ new Downloader, KerrDown