The Dimnie trojan was first identified in 2014 and a new version was discovered in January 2017 after GitHub users were targeted in a malicious email campaign. Unknown actors began selecting GitHub users to send recruitment emails, expressing interest in hiring them. The email contains an attachment purportedly detailing job specifications. The attachment is an archive which unzips into a macro-containing Word document. If the user enables macros, PowerShell commands download and install the Dimnie trojan. This new version is a highly modular piece of malware and has the ability to disguise malicious traffic under fake domains and DNS requests and executes new modules in the operating system memory; this fileless behavior helps them evade detection. It masks upload and download network traffic as innocuous user activity, exploiting defenders' ideas of what normal traffic should look like, further decreasing the likelihood of detection.
- Palo Alto Networks provides technical details on the Dimnie trojan, available here.