![]() ![]() ![]() In fact, the first was exactly the same as seen in the previous two cases. As in the previous case, this attack featured two sideloading attempts. This attack was detected by Sophos’ HeapHeapProtect dynamic-shellcode mitigation, which prevents code running in heap space from adding arbitrary code into the memory space of the original application, and similarly prevents lateral code injection into other applications (and flags the attempt). Once this second sideloading attack is complete, the malware connects to the stager server, this time over port 443. X1-x4: module execution progress messages P1-p11: privilege escalation progress messages Next, the executable googleupdate.exe (which, despite its name, has nothing to do with Google it’s a clean, digitally signed VLC Media Player application) in c.rar is used to sideload libvlc.dll, a malicious loader that loads the payloads from the encrypted implants in the archive.Ĭonveniently, those implants write out detailed debug logs on their progress: About DLL sideloading and preloadingĭLL sideloading and preloading (sometimes known as search-order hijacking) are both attacks that hijack execution flow, although there is a subtle distinction between them.ĭLL preloading (AKA search order hijacking) – T1574/001Ĩ6f7661039a0855be8d6d1cb55391f398932e80c googleupdate.exe (clean VLC EXE)Įd67a11646c1b28bc856941743331acb47f1b7b4 goopdate.ja (encrypted implant)Į5be6f621c4a10372837baf795a37b1caa942d23 libvlc.dll (malicious loader)ī2eb8516ab136aa44106c13cc859dcee77d1bc1f loader.ja (encrypted implant)ĭ90355d2a53b662c1d3fe7ab4430d3955a54f73f time.sig (encrypted config) 2.2: Second sideloading attack We’ll close with indicators of compromise associated with these cases, which we will also make available on our GitHub.īefore all that, though, it’s worth briefly defining what DLL sideloading is, as it’s often confused with a similar attack called DLL preloading. We’ll spotlight a piece of shell code that seems to be the common thread in all five cases, and then dig into extended step-by-step breakdowns of seven scenarios we associate with these cases. We’ll take a deep dive into all five cases, further detailing the infection timeline of the USB-worm attack in an appendix. We can’t be sure that it’s the same threat actor behind both the USB worm case and the other attacks – it may be different threat actors with access to the same tooling – but the similarities are compelling. ![]() The case involving the USB worm has significant overlap with the other four cases we observed, including loader DLLs using the same kind of code flow obfuscation and identical loader shellcode. (This is similar to macro virus mating, a phenomenon identified over twenty-five years ago.) We don’t have any evidence that the three APTs are linked, and we also know that multiple USB worms, when infecting systems simultaneously, may inadvertently combine their files. This worm copies everything it finds in specific directories when replicating itself, including components of other APT attacks by Mustang Panda and LuminousMoth. In the most interesting of the five cases, a USB worm infected organizations in Southeast Asia. Understanding how cases are related helps defenders (and customers) think about not just who’s doing the attacking, but about what kind of threats may be afoot – and, naturally, how to prioritize analysis and defense for best results. In this article, we look at the evidence that connects five of them, showing how threat actors base their attacks on well-known, effective techniques, adding complexity and variation over time. We have observed multiple attacks targeting government organizations in Asia, all involving DLL sideloading – historically a favorite technique of China-based APT groups - as far back as 2013 and as recently as 2020. ![]()
0 Comments
Leave a Reply. |