Lambert Toolkit Malware Family Unraveled

Lambert Toolkit Malware Featured Image

This guide will give you detailed technical information and removal instructions about the Lambert Toolkit which is also known under the alias of Longhorn.

Lambert Toolkit Malware Analysis

The first instance of the Lambert Toolkit was detected back in 2014 when FireEye staff discovered a hacker attack initiated through a zero-day vulnerability. The reported issue was tracked in the CVE-2014-4148 report which reads the following: win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted TrueType font, as exploited in the wild in October 2014, aka “TrueType Font Parsing Remote Code Execution Vulnerability.

This first instance carried a malware which is dubbed as Black Lambert, the analysis shows that it was used in coordinated campaigns against high-profile organizations in Europe. The interesting fact about this strain is that during analysis the researchers uncovered an interesting string – toolType=wl, build=132914, versionName = 2.0.0. This allowed them to investigate another series of related viruses which have been dubbed as White Lambert. Unlike the Black iteration the White Lambert is categorized as a passive and network-driven backdoor. The virus has been identified with four separate versions:

  1. ToolType “aa”, protocol 3, version 7, versionName 5.0.2, build 113140.

  2. ToolType “aa”, protocol 3, version 7, versionName 5.0.0, build 113140.

  3. ToolType “aa”, protocol 3, version 6, versionName 4.2.0, build 110836M.

  4. ToolType “aa”, protocol 3, version 5, versionName 3.2.0.

The similar strings in the various Lambert toolkit generated malware allowed the computer specialists to discover a large range of other evolved strains. Some of them include the following:

  1. Blue Lambert – It is used as a second stage attack in cases when the Black Lambert is the primary carrier.

  2. Green Lambert – This is an older version of Blue Lambert which is lighter and more reliable. It is presumed that the two variants have been developed in parallel by different hacker collectives. This particular strain has both a Windows and a Mac OS X version. The Mac strain however is not able to run plugins directly from memory which comes standard in the Windows version. It is also known under the following aliases: BEARD BLUE (2.7.1), GORDON FLASH (3.0), APE ESCAPE (3.0.2), SPOCK LOGICAL (3.0.2), PIZZA ASSAULT (3.0.5), and SNOW BLOWER (3.0.5). One of the droppers used by the virus abuses an ICS software package called “Subway Environmental Simulation Program”. It is available online on specialist forums and communities that are related to industrial software.

  3. Pink Lambert – This is a feature-rich evolved version. The Pink Lambert includes a beacon implant, a multi-platform framework which can generate custom payload iterations and a modular USB-harvesting function. This version bears a close relationship with the White Lambert.

  4. Gray Lambert – This is the latest iteration of the passive versions of the Lambert Toolkit. The coding style resembles the Pink version however the functionality mirrors those of White Lambert. This particular evolution runs in user mode without the need for exploiting a vulnerable driver. It is able to load arbitrary code on the contemporary 64-bit Windows versions.

  5. SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

As a consequence the Lambert toolkit malware has been found to being most active in 2013-2014. The specialists state that some of the individual strains posses a combination of malicious modules which can cause a lot of damage to the victim systems:

  • Some of the Lambert viruses can extract data from network analysis making it possible to hijack sensitive information – user interaction with sites, services and applications. This can reveal account credentials and other private data.

  • Plugins can run in memory without any disk activity. This can be used to counter some basic virus detection engines.

  • The variants can exploit signed drivers which can lead to unsigned code execution.

We presume that the hackers are going to launch a new iteration of the Lambert Toolkit malware which is going to target other platforms as well – Android, iOS and Gnu/Linux are obvious choices. The fact that some of the iterations compromise the machines in a multi-stage pattern indicates that a specialized anti-malware solution must be used. It can defend against all types of viruses and delete active infections with a few mouse clicks.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *