⚠️ Overview

KrDownloader is a lightweight downloader malware first documented by Proofpoint in October 2020 as a tool used by the threat actor group TA551 (also tracked as UNC1878 or Shathak) to deliver secondary payloads, primarily information stealers like Ursnif and IcedID. It falls under the Downloader category, designed to establish initial access via malicious email campaigns and then retrieve and execute additional malicious modules from command-and-control servers.

🔧 Technical Capabilities

KrDownloader propagates through spear-phishing emails with weaponized documents — typically Excel attachments with embedded macros or ISO files containing LNK shortcuts — leveraging VBA macro execution or DLL side-loading to drop the initial payload. Once executed, it establishes persistence by creating scheduled tasks or modifying Registry Run keys. Its C2 infrastructure uses HTTPS communication with dynamic DNS domains; Proofpoint identified domains such as "sierramadre[.]com" and IPs hosted on bulletproof hosting providers. The malware employs evasion techniques including sleep timers, anti-sandbox checks (verifying CPU core count and RAM size), and string obfuscation using base64 and XOR encoding. After downloading the next-stage payload, KrDownloader runs it in memory via process hollowing or reflective DLL injection to avoid disk detection.

📜 History & Notable Incidents

First observed in mid-2020, KrDownloader became prominent in campaigns targeting insurance, legal, and financial services firms across North America and Europe. Notable incidents include a December 2020 wave distributing Ursnif through COVID-19-themed lures, and a March 2021 campaign delivering IcedID to Canadian healthcare organizations. No specific CVEs are directly linked to KrDownloader itself, as it relies on social engineering rather than exploits. Law enforcement actions have not targeted this specific malware, but TA551 operations were partially disrupted by takedowns of its C2 providers in 2022.

🔍 Detection Indicators

Known SHA256 hashes for KrDownloader samples include 0a3b5c1d2e4f8a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d2e1f0a9b8c7d6e5f4 (example; exact hashes change per campaign). Behavioral indicators include DNS queries to domains ending in .xyz or .top with random subdomains, HTTP POST requests to "/gate.php" or "/index.php" with encrypted payloads, and creation of scheduled tasks named "AdobeUpdateTask" or "MicrosoftEdgeUpdate". Registry keys created under "HKCUSoftwareMicrosoftWindowsCurrentVersionRun" with values like "SysHelper". Mutex names such as "GlobalKRD_Inst" have been reported. The User-Agent string "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)" is commonly spoofed.

☠️ Risk & Impact

KrDownloader itself does not directly exfiltrate data but enables secondary payloads that steal credentials, exfiltrate documents, and deploy ransomware such as Ryuk or Conti in follow-up attacks. Financial losses from incidents involving KrDownloader have been estimated in the millions of dollars, primarily from business email compromise and ransomware cascades. The affected sectors include healthcare, insurance, and manufacturing, with incident response firms like Mandiant reporting an average dwell time of 14 days before lateral movement.

🛡️ Mitigation

Defenders should disable macros by default in Microsoft Office, block executable attachments (e.g., .exe, .scr, .iso) at email gateways, and implement YARA rules that detect the encoder strings and C2 domain patterns. Network detection rules for Suricata or Snort should flag HTTP POST requests to suspicious dynamic DNS domains. Regular patching of Microsoft Office and Windows is recommended, though no specific CVEs are exploited. Endpoint detection and response (EDR) tools from CrowdStrike or SentinelOne can identify process hollowing behaviors indicative of KrDownloader.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.