Abstract
As sophisticated as GuLoader; a highly obfuscated and evasive malware loader, Here comes a similar loader with various evasion capabilities built-in to execute malware stagers in memory; The IDAT Loader. First seen in August 2023, researchers analyzed and identified multiple attack chains delivering malwares like Lumma, Redline, Danabot, Vidar and Amadey. We have found two variants of IDAT loader in the wild, specifically Vidar and Lumma operators using the first variant, where threat actors use a C2 to download decoy PNG files with a malicious IDAT section and the other variant containing the decoy packed within itself eliminating the the malicious C2 connection. The IDAT loader first contacts a legitimate domain, followed by a request to a C2 server to download a PNG file. This PNG is a decoy that contains malicious shellcode and the process it needs to be injected into using Process Doppelganging. The loader searches for the string “IDAT’’ DWORD in the downloaded PNG file to fetch the XOR key that immediately follows, and the rest is encrypted data. Once the data is decrypted, it holds the decompressed data, which is later decompressed using RtlDecompressBuffer. The result contains the shellcode and the name of the legitimate Windows process to again inject into. We will present on the code-level reverse engineering of both variants of IDAT loader used to deploy Amadey, Raccoon, Lumma, and Vidar, and discuss the similarities between their code blocks. Our presentation will conclude with a discussion of our hunting techniques, which we use to stay ahead of IDAT loader campaigns and protect our customers globally.