Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

New Legion Loader Delivers a Variety of Malware

Legion Loader is a new dropper that is already in wide use. It is distinctive by the wide range of malware it has been seen to drop, and its continuing development. The implication is that it is available for hire as part of the burgeoning malware-as-a-service black market.

Legion Loader is a new dropper that is already in wide use. It is distinctive by the wide range of malware it has been seen to drop, and its continuing development. The implication is that it is available for hire as part of the burgeoning malware-as-a-service black market.

While other droppers often become associated with particular malware — just as Emotet is known to drop Trickbot, and Trickbot is known to drop Ryuk and Lockergoga ransomware (and more recently web skimming malware) — Legion is already known to drop a wide range of malware. This includes infostealers such as Vidar, Predator and Raccoon; and a crypto stealer, a crypto miner and an RDP backdoor.

Malware installed by Legion Loader as service

(Image Credit: Deep Instinct)

A Legion campaign has been detected, and the dropper used has been analyzed by researchers at Deep Instinct. The analysis was ‘fairly straightforward’: although it includes several sandbox and research tool evasions, it lacks string obfuscation.

It is, they say, “written in MS Visual C++ 8 (very likely by a Russian-speaking individual) and shows signs of being in active development.” They do not give any indication of how Legion is initially installed on the victim, but rather describe what it does. The targets currently appear to be largely in the U.S. and Europe. Every dropper is designed to deliver 2-3 additional malwares, and includes a built-in fileless crypto currency stealer and browser credential harvester.

It arrives with typical black hat black humor — detected user agent strings have included autizm, satan, suspiria, fuck u, and lilith. Its first step is to check in with its designated server. If the expected reply is not received, it terminates. If successful, it downloads the 2 or 3 additional payloads normally from the C&C server, but occasionally from a free hosting service.

When the downloads are complete, Legion executes a lightly obfuscated PowerShell command that delivers the crypto currency stealer and a browser credential harvester. The crypto stealer contacts the C&C and receives further PowerShell code that sweeps the system for stored wallets and any related credentials.

Advertisement. Scroll to continue reading.

If any are found, Legion again contacts the C&C, and receives more PowerShell code (to set up the stealer) and a DLL (used in further communication encryption). Once this is complete, it downloads a browser credential harvester. Credentials and wallet files are uploaded to the C&C.

It may also deploy an RDP-based backdoor. This arrives as a Nullsoft Scriptable Install System (NSIS), and employs an embedded blowfish .DLL to decrypt strings which form a cmd.exe command. This executes an embedded PowerShell script, which contains a large DES encrypted blob which is decrypted. This blob contains other blobs that are gzip-compressed and base64 encoded.

“These blobs,” note the researchers, “are decoded and decompressed using a set of contained functions and are deployed by the PowerShell code to %programfiles%/windows mail/appcache.xml or %/default_list.xml, based on the executing machine’s operating system. While the written file’s extension is .xml they are actually .DLL files. After the required .DLL containing blob has been deployed, it is registered as a system service.” 

It is too early to know how widely Legion will be adopted by the criminal fraternity in the future, but the range of malware it has been seen to drop suggests that it has not been developed by a criminal gang to deliver a particular malware, but is designed to offer a service to deliver malware of choice. One of the infostealers it has delivered — Raccoon — is itself an increasingly popular product provided as a service. This type of criminal activity, where more adept coders provide malware for the larger number of wannabe hackers is likely to grow.

Deep Instinct provides a long list of IoCs comprising Legion Loader samples, dropped malware samples, and Legion Loader and crypto stealer C&C domains.

Related: Meet Phoenix Keylogger, a New Malware-as-a-Service Product Gaining Traction 

Related: WiryJMPer Dropper Employs Heavy Obfuscation to Deliver Netwire 

Related: Malware Found in Google Play App With 100 Million Downloads 

Related: Hackers Are Loving PowerShell, Study Finds 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...