{"id":2162,"date":"2023-05-25T11:19:00","date_gmt":"2023-05-25T09:19:00","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=2162"},"modified":"2023-05-26T07:41:45","modified_gmt":"2023-05-26T05:41:45","slug":"2162-2","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/2162-2\/","title":{"rendered":"New tricks of APT29 &#8211; update on the CERT.PL report"},"content":{"rendered":"\n<p>A new sample has been uploaded to VirusTotal, and its characteristics strongly resemble QUARTERRIG, a malware recently <a href=\"https:\/\/www.gov.pl\/web\/baza-wiedzy\/espionage-campaign-linked-to-russian-intelligence-services\">analyzed by CERT.PL<\/a> and linked to APT29. In said analysis, the campaign was named &#8220;<strong>Note<\/strong>&#8220;. Based on the aforementioned report, the purpose of this post is to show the new features of this new campaign that we named &#8220;<strong>Information<\/strong>&#8220;.<\/p>\n\n\n\n<p>The hash of the sample made public in VirusTotal is b422ba73f389ae5ef9411cf4484c840c7c82f2731c6324db0b24b6f87ce8477d, and only 3 antivirus engines target the sample as malicious during the writing of this post.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"448\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f50-1024x448.png\" alt=\"\" class=\"wp-image-2168\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f50-1024x448.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f50-300x131.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f50-768x336.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/f50.png 1302w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Sample in VirusTotal analysed in this report<\/figcaption><\/figure><\/div>\n\n\n\n<p>APT29 is a hacker group allegedly affiliated with <strong>one or more Russian intelligence agencies<\/strong>. It is a sophisticated group that has been carrying out attacks against European governments and diplomatic agencies since 2008.<\/p>\n\n\n\n<p>The main entry vector for APT29 is email. Using this input vector, attackers attach a PDF with a link that will download an ISO.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">New campaign: &#8220;Information&#8221;<\/h1>\n\n\n\n<p>This new campaign, which will be referred to as <strong>Information<\/strong>, contains a structure very similar to the <strong>Note<\/strong> campaigns shown in the CERT.PL report. The samples analyzed in that report are from March. However, from Lab52, <strong>we have observed a change in the operation of this type of malware since April, and in the latest analyzed samples, the injection method has varied<\/strong>. In this post, we use one of the latest samples to highlight the new changes in the mechanisms employed.<\/p>\n\n\n\n<p>This time <strong>the file containing the shellcode is located in a file called &#8220;dbg.info&#8221;<\/strong> unlike what we have been observing in previous campaings. The <strong>Information.iso <\/strong>contains:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>AppvlsSubsystems64.dll &#8211; DLL used to load a legitime system DLL and inject the shellcode into it.<\/li><li>dbg.info &#8211; shellcode.<\/li><li>Information .exe &#8211;  Legitime binary <strong>signed by Microsoft<\/strong>. This will be use to load AppvlsSubsystems64.dll (by DLL Side-Load).<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"864\" height=\"195\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-14.png\" alt=\"\" class=\"wp-image-2171\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-14.png 864w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-14-300x68.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-14-768x173.png 768w\" sizes=\"(max-width: 864px) 100vw, 864px\" \/><figcaption>Contents of &#8220;Information.iso&#8221; versus &#8220;Note.iso&#8221; (past campaign)<\/figcaption><\/figure><\/div>\n\n\n\n<p>The<strong> <\/strong>compilation date for <strong>AppvIsvSubsystems64.dll<\/strong> in this new campaign is more recent than the previous one. This could suggest that changes were made to improve the sample.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"709\" height=\"424\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-15.png\" alt=\"\" class=\"wp-image-2172\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-15.png 709w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-15-300x179.png 300w\" sizes=\"(max-width: 709px) 100vw, 709px\" \/><figcaption>Compilation date AppvIsvSubsystems64.dll &#8211; Information<\/figcaption><\/figure><\/div>\n\n\n\n<p>This post focuses on the main diferences between the previous campaing and the new one, in order to contribute to the community. The most noticeable change is the injection technique. Nevertheless some addional notes are added for the curious.<\/p>\n\n\n\n<p>The objective is the same: the executable (Information.exe in this case) will be used to execute two DLLs. The first DLL is AppvlsvSubsystems64.dll, that will be loaded by the process as part of its execution. The second DLL will be loaded by AppvlsvSubsystem64.dll.<strong> In this case, however, the second DLL will be carefully modified with different techniques in order to minimize the detection methods.<\/strong><\/p>\n\n\n\n<p>Therefore, Information.exe, that is a legitime binary, will be the container for the malware to be executed. In order to do that, it will load AppvIsvSubsystems64.dll who needs to identify a suitable system DLL to be modified \u2013 with the shellcode \u2013 before the load in Information.exe. <strong>The main changes are located in AppvIsvSubsystems64.dll<\/strong>. Also, the command and control (C2) varies.<\/p>\n\n\n\n<p>The following diagram describes the infection chain analysed in this post.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"740\" height=\"353\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/infection-1.png\" alt=\"\" class=\"wp-image-2305\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/infection-1.png 740w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/infection-1-300x143.png 300w\" sizes=\"(max-width: 740px) 100vw, 740px\" \/><figcaption><em>Infection chain &#8211; Information campaign<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<h1 class=\"wp-block-heading\">Description of the APIs<\/h1>\n\n\n\n<p>When running the sample, the first difference lies in how the <strong><strong>AppvIsvSubsystems64.dll<\/strong><\/strong> loads the functions needed for the execution. In the &#8220;Note&#8221; campaing, the funcions are loaded at an early stage than the Information campaign. Moreover, the decription in this last case occurs at a different point, later in during the execution.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"331\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-16-1024x331.png\" alt=\"\" class=\"wp-image-2176\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-16-1024x331.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-16-300x97.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-16-768x248.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-16.png 1344w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Entry point of AppvIsvSubsystems64.dll &#8211; Information vs Note<\/figcaption><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"381\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-17-1024x381.png\" alt=\"\" class=\"wp-image-2178\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-17-1024x381.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-17-300x112.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-17-768x286.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-17.png 1250w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption><em>Differences in .data &#8211; Informtion vs Note<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<h1 class=\"wp-block-heading\">Shellcode injection<\/h1>\n\n\n\n<p>The way in which the sample injects shellcode into memory also varies from campaign to campaign. As can be seen in the report, &#8220;Note&#8221; reserves a memory space in its process and writes the shellcode into it.<\/p>\n\n\n\n<p>In this case the injection process is more sophisticated, <strong>the injection will be triggered by modifying the .text section of legitimate libraries<\/strong>. The following actions are performed by <strong><strong>AppvIsvSubsystems64.dll<\/strong><\/strong>.<\/p>\n\n\n\n<p>In order to do that, first it goes through each of the DLLs stored in <strong>System32<\/strong>.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"556\" height=\"306\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-21.png\" alt=\"\" class=\"wp-image-2188\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-21.png 556w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-21-300x165.png 300w\" sizes=\"(max-width: 556px) 100vw, 556px\" \/><\/figure><\/div>\n\n\n\n<p>Next check the size of the DLL, it will only be a candidate if it has a size greater than or equal to <strong>782629 bytes <\/strong>(Shellcode size).<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"565\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-22.png\" alt=\"\" class=\"wp-image-2191\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-22.png 936w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-22-300x181.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-22-768x464.png 768w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><figcaption>Test DLL size<\/figcaption><\/figure><\/div>\n\n\n\n<p>The sample also checks that the candidate DLL is not already loaded in the executable (Information.exe). That is, the following list are the DLLs already loaded in Information.exe, and, therefore, discarded by the malware:<\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table><tbody><tr><td>msvcp140.dll<\/td><td>combase.dll<\/td><\/tr><tr><td>msi.dll<\/td><td>sechost.dll<\/td><\/tr><tr><td>appvisvsubsystem64.dll<\/td><td>msvcrt.dll<\/td><\/tr><tr><td>vcruntime140.dll<\/td><td>kernel32.dll<\/td><\/tr><tr><td>vcruntime140_1.dll<\/td><td>imm32.dll<\/td><\/tr><tr><td>ucrtbase.dll<\/td><td>gdi32.dll<\/td><\/tr><tr><td>bcrypt.dll<\/td><td>rpcrt4.dll<\/td><\/tr><tr><td>win32u.dll<\/td><td>shell32.dll<\/td><\/tr><tr><td>msvcp_win.dll<\/td><td>advapi32.dll<\/td><\/tr><tr><td>kernelbase.dll<\/td><td>user32.dll<\/td><\/tr><tr><td>gdi32full.dll<\/td><td>ntdll.dll<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>After said checks, the malware has a set of candidate DLLs. The DLL selected for injection will vary in each execution, thanks to a randomization function implemented in the sample. <strong>A list of candidate DLLs by default &#8211; those that satisfy the requirements needed by the malware &#8211; in Windows 10 64b is provided at the end of this post<\/strong>. This may vary depending on the operating system. However, following the steps in this post is not difficult to prepare your own script. A similar technique is described in the <a rel=\"noreferrer noopener\" href=\"https:\/\/www.netero1010-securitylab.com\/evasion\/alternative-process-injection\" target=\"_blank\">Netero1010 post<\/a>. <\/p>\n\n\n\n<p>The malware selects the DLL used for the injection as follows.<\/p>\n\n\n\n<p>First, it uses the system time as a seed to apply a series of arithmetic operations on it. The result will be the seed of the next DLL to be checked.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-23.png\" alt=\"\" class=\"wp-image-2193\" width=\"526\" height=\"267\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-23.png 474w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-23-300x153.png 300w\" sizes=\"(max-width: 526px) 100vw, 526px\" \/><figcaption>Seed generation using system time<\/figcaption><\/figure><\/div>\n\n\n\n<p>Interestingly, the values it uses for multiplication and addition are identical to those provided in a <a href=\"https:\/\/www.holidayhackchallenge.com\/2019\/winners\/HolidayHackChallenge2019Report_Michael-Pella.pdf\">&#8220;Holiday Hack Challenge 2019&#8221;<\/a> challenge organized by SANS. In particular, in the challenge there is a function called &#8220;<strong>super_secure_random<\/strong>&#8221; that performs the same operations with the same operands to a seed (&#8220;state&#8221;).<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"604\" height=\"257\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-24.png\" alt=\"\" class=\"wp-image-2194\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-24.png 604w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-24-300x128.png 300w\" sizes=\"(max-width: 604px) 100vw, 604px\" \/><figcaption>Comparison of the CTF algorithm (left) with the sample (right)<\/figcaption><\/figure><\/div>\n\n\n\n<p>Finally, it checks if this resulting number is a multiple of 25 and if it is, it continues with the injection.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"371\" height=\"91\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-25.png\" alt=\"\" class=\"wp-image-2195\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-25.png 371w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-25-300x74.png 300w\" sizes=\"(max-width: 371px) 100vw, 371px\" \/><figcaption>Choice of random DLL<\/figcaption><\/figure><\/div>\n\n\n\n<p>Once the DLL has been chosen, the sample accesses the library with CreateFileW (in the execution used to take the pictures for this example the DLL selected was &#8220;AppContracts.dll&#8221;).<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"811\" height=\"498\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-26.png\" alt=\"\" class=\"wp-image-2197\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-26.png 811w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-26-300x184.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-26-768x472.png 768w\" sizes=\"(max-width: 811px) 100vw, 811px\" \/><figcaption>DLL opened<\/figcaption><\/figure><\/div>\n\n\n\n<p>At this point, the sample reads the headers of the libraries to pass a round of checks again. First, look at the &#8220;Magic&#8221; value to verify that it is a 64-bit system DLL (PE64).<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"851\" height=\"191\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-27.png\" alt=\"\" class=\"wp-image-2199\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-27.png 851w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-27-300x67.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-27-768x172.png 768w\" sizes=\"(max-width: 851px) 100vw, 851px\" \/><figcaption>Magic value of the DLL candidate<\/figcaption><\/figure><\/div>\n\n\n\n<p>Another comprobation is to <strong>check the &#8220;SizeOfImage&#8221;<\/strong> field, which refers to the <strong>size to reserve in memory to load the executable<\/strong>. If it is less than <strong>782629<\/strong> <strong>bytes <\/strong>(shellcode size), it is discarded.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"891\" height=\"251\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-28.png\" alt=\"\" class=\"wp-image-2201\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-28.png 891w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-28-300x85.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-28-768x216.png 768w\" sizes=\"(max-width: 891px) 100vw, 891px\" \/><figcaption>SizeOfCode of the candidate DLL<\/figcaption><\/figure><\/div>\n\n\n\n<p>Finally, the sample checks the size of the &#8220;.text&#8221; section (where the shellcode will be injected) and verifies that it is larger than <strong>782629<\/strong> <strong>bytes<\/strong>.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"845\" height=\"191\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-29.png\" alt=\"\" class=\"wp-image-2202\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-29.png 845w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-29-300x68.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-29-768x174.png 768w\" sizes=\"(max-width: 845px) 100vw, 845px\" \/><figcaption>Size of &#8220;.text&#8221; section of the candidate DLL<\/figcaption><\/figure><\/div>\n\n\n\n<p>Unfortunately, at this point AppContracts.dll (the DLL selected in this execution) does not meet the injection requirements, and the search for the next optimal DLL is <strong>AppxPackaging.dll<\/strong>, in this example.<\/p>\n\n\n\n<p>After this screening, <strong>the malware will have about 283 candidates for injection<\/strong> in the system used. At the end of the post you will find a table with the possible DLLs in which the malware could be injected, <strong>consiering the size required for the injection by this sample (<strong>782629<\/strong><\/strong>) <strong>and the system where it be executed<\/strong>.<\/p>\n\n\n\n<p>At this point, the chosen DLL (in this example, at this moment, AppxPackaging.dll) is ready to receive the shellcode, using the following injection method.<\/p>\n\n\n\n<p><strong>Step1.<\/strong> Subsequently, it makes a call to <strong>NtCreateSection <\/strong>to create a memory section in the process.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"244\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-30-1024x244.png\" alt=\"\" class=\"wp-image-2210\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-30-1024x244.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-30-300x71.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-30-768x183.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-30.png 1072w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Create section to map the DLL<\/figcaption><\/figure><\/div>\n\n\n\n<p><strong>Step2. <\/strong>And map the library in that section with <strong>ZwMapViewOfSection.<\/strong><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"272\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-32-1024x272.png\" alt=\"\" class=\"wp-image-2216\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-32-1024x272.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-32-300x80.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-32-768x204.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-32.png 1099w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Map the DLL<\/figcaption><\/figure><\/div>\n\n\n\n<p><strong>Step3. <\/strong>Once the library is mapped in memory, the write permissions are modified to be able to write the shellcode in it. <strong>The address pointed to by VirtualProtect corresponds to the &#8220;.text&#8221; section of the DLL<\/strong>.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"213\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-33-1024x213.png\" alt=\"\" class=\"wp-image-2220\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-33-1024x213.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-33-300x62.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-33-768x160.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-33.png 1040w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Change protection to RW (.text section)<\/figcaption><\/figure><\/div>\n\n\n\n<p><strong>Step4.<\/strong> After that, write the shellcode in the &#8220;.text&#8221; section.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"937\" height=\"573\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-34.png\" alt=\"\" class=\"wp-image-2222\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-34.png 937w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-34-300x183.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-34-768x470.png 768w\" sizes=\"(max-width: 937px) 100vw, 937px\" \/><figcaption>Write the shellcode in the .text section. Left: not infected. Right: infected<\/figcaption><\/figure><\/div>\n\n\n\n<p><strong>Step5<\/strong>. Finally the malware changes the permissions of the &#8220;.text&#8221; section back to \u201cEXECUTABLE_READ\u201d again.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"238\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-35-1024x238.png\" alt=\"\" class=\"wp-image-2224\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-35-1024x238.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-35-300x70.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-35-768x178.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-35.png 1063w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>Change the .text section back to RX<\/figcaption><\/figure><\/div>\n\n\n\n<p>Once the shellcode is loaded, the execution is identical to what can be seen in the QUARTERRIG report of CERT.PL, but with a different C2. In this case, the actors use the URL <strong>hxxps:]]\/\/pizzais.com\/order.php<\/strong>. <\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Timeline<\/h1>\n\n\n\n<p>As mentioned before, <strong>Lab52 has observed the evolution in techniques since April<\/strong>. Specifically, here we provide an additional hash of a different file published on VirusTotal that uses this injection technique, found during the writing of this post. <\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table><thead><tr><th class=\"has-text-align-center\" data-align=\"center\">Hash<\/th><th class=\"has-text-align-center\" data-align=\"center\">Description<\/th><th class=\"has-text-align-center\" data-align=\"center\">Date<\/th><\/tr><\/thead><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\">C71EC48A59631BFA3F33383C1F25719E95E5A80936D913AB3BFE2FEB172C1C5E<\/td><td class=\"has-text-align-center\" data-align=\"center\">Notes.iso injecting the shellcode in the .txt section of the DLL<\/td><td class=\"has-text-align-center\" data-align=\"center\">28\/04\/2023<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Therefore, at the least in a previous registered case, the .iso file still bears the name &#8220;Note.iso,&#8221; which could indicate that <strong>the new technique was already in use<\/strong> in some samples of the previous campaign. However, the most recent observations show a change in their name to &#8220;Information&#8221;.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"481\" height=\"182\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/timeline.png\" alt=\"\" class=\"wp-image-2285\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/timeline.png 481w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/timeline-300x114.png 300w\" sizes=\"(max-width: 481px) 100vw, 481px\" \/><figcaption>Short timeline &#8211; Changes in the injection technique<\/figcaption><\/figure><\/div>\n\n\n\n<h1 class=\"wp-block-heading\">Conclusions<\/h1>\n\n\n\n<p>Just as QUARTERRIG was the evolution of HALFRIG, in this new campaign APT29 has modified the logic of its dll loader &#8220;Applvsubsystem64.dll&#8221; to make it more sophisticated.<\/p>\n\n\n\n<p>The fact of using legitimate random DLLs for injection instead of the process memory itself, adds another layer of complexity to the way the shellcode is loaded.<\/p>\n\n\n\n<p>A list of system candidates to be injected is provided in this post. However, it must be considered carefully because these are extracted of a specific system, following the previous steps. The analysts can follow the steps mentioned here in order to build their own script to get the list of DLL candidates to be used by the authors this new campaing. <\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Indicators of Compromise (IOC)<\/h1>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table><thead><tr><th class=\"has-text-align-center\" data-align=\"center\"><br>File<\/th><th class=\"has-text-align-center\" data-align=\"center\">Hash<\/th><\/tr><\/thead><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\">Information.iso<\/td><td class=\"has-text-align-center\" data-align=\"center\">B422BA73F389AE5EF9411CF4484C840C7C82F2731C6324DB0B24B6F87CE8477D<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Information .exe<\/td><td class=\"has-text-align-center\" data-align=\"center\">6C55195F025FB895F9D0EC3EDBF58BC0AA46C43EEB246CFB88EEF1AE051171B3<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">AppvIsvSubsystems64.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">E7C49758BAE63C83D251CACBFADA7C09AF0C3038E8FF755C4C04F916385805D8<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">dbg.info<\/td><td class=\"has-text-align-center\" data-align=\"center\">5F6219ADE8E0577545B9F13AFD28F6D6E991326F3C427D671D1C1765164B0D57<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table><thead><tr><th class=\"has-text-align-center\" data-align=\"center\">C2<\/th><\/tr><\/thead><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\">hxxps:]]\/\/pizzais.com\/order.php<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table><thead><tr><th>Filesystem<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>C:\\Users\\user\\AppData\\Local\\MSOfficeUpdate\\<\/td><td>AppvIsvSubsystems64.dll, Information .exe, dbg.info<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table aligncenter\"><table><thead><tr><th>Persistence<\/th><th>Value<\/th><\/tr><\/thead><tbody><tr><td>HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run<\/td><td>C:\\Users\\user\\AppData\\Local\\MSOfficeUpdate\\Information .exe<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">Candidate system DLLs for injection<\/h1>\n\n\n\n<p><em>The following DLLs will pass the checks for this sample (size and other requirements). This list may vary on the target system depending on the version and the system software installed. Please check.<\/em><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\">aadtb.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">ActiveSyncProvider.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">adtschema.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">APMon.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">appraiser.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">AppXDeploymentExtensions.desktop.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">AppXDeploymentExtensions.onecore.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">AppXDeploymentServer.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">AppxPackaging.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">AudioEng.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">AudioSes.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">audiosrv.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">AuthFWSnapin.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">AuthFWSnapIn.Resources.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">AzureSettingSyncProvider.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">bcastdvruserservice.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">BingMaps.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">cavo2gui.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">cdp.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">cdprt.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">CertEnroll.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Chakra.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">cimwin32.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">ClipSVC.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">CloudExperienceHostCommon.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">cmiv2.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">comsvcs.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">ConstraintIndex.Search.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">ContentDeliveryManager.Utilities.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">CoreShell.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">CoreUIComponents.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">crypt32.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">d2d1.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">d3d10.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">d3d10warp.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">d3d11.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">D3D12Core.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">d3d9.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">D3DCompiler_47.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">dbgeng.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">dbghelp.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">dcomp.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">DeviceFlows.DataModel.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">dfshim.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">diagperf.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">diagtrack.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">directml.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">DMWmiBridgeProv.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">dosvc.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">drvstore.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">dui70.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">dwmcore.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">dwmscene.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">DWrite.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">dxilconv.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">edgeangle.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">EdgeContent.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">edgehtml.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">efscore.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">EmailApis.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">enterprisecsps.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">esent.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">ExplorerFrame.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">FaceProcessor.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">FaceRecognitionEngineAdapter.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">fhuxpresentation.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">FluencyDS.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">FntCache.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">FrameServer.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">GdiPlus.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">gpsvc.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">HologramWorld.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Hydrogen.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">icu.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">ieframe.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">inetcomm.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">InputHost.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">InputService.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">InstallService.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">IntelWifiIhv08.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">ISM.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">jscript9.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">kerberos.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">KernelBase.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">libcrypto.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">localspl.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">LocationFramework.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">lpasvc.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">lsasrv.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">MapGeocoder.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">MapRouter.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">MCRecvSrc.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">MdmDiagnostics.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">MemoryAnalyzer.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">MessagingDataModel2.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">mfasfsrcsnk.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">mfc140.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">mfc140u.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">mfc42.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">mfc42u.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">mfcore.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">MFMediaEngine.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">mfmkvsrcsnk.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">mfmp4srcsnk.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">mfmpeg2srcsnk.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">mfnetcore.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">mfnetsrc.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">mfperfhelper.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">mfplat.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">mfreadwrite.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">mfsrcsnk.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">mfsvr.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Microsoft.Bluetooth.Service.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Microsoft.Graphics.Display.DisplayEnhancementService.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">migcore.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">MiracastReceiver.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">mispace.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">mmcndmgr.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">mmgaclient.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">MSAJApi.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">msctf.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">msdtctm.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">msftedit.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">mshtml.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">msmpeg2vdec.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">MSPhotography.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">mssrch.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">mstscax.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">MSTTSEngine_OneCore.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">MSVidCtl.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">msvproc.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">msxml3.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">msxml6.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">MSxpsPCL6.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">MSxpsPS.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">mxdwdrv.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">NetworkMobileSettings.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">NotificationController.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">ole32.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">OpcServices.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">opengl32.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">PCPKsp.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">perf_nt.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">pidgenx.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">pla.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">PresentationNative_v0300.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">PrintConfig.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">PrintConfig.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">PrintConfig.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">PrintConfig.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">qmgr.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">quartz.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">rasapi32.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">rasmans.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">rdpbase.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">rdpcore.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">rdpcorets.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">rdpnano.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">rdpserverbase.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">rdpsharercom.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">reseteng.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">ResetEngine.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">RP2DSN32.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">rpcss.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">rtmcodecs.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">rtmpal.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">rtmpltfm.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">sapi.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">sapi_onecore.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">sbe.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">sdengin2.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">SettingsHandlers_nt.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">setupapi.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">SpeechPal.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">sppobjs.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">spsreng.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">spsreng_onecore.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">spwizimg.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">SRH.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">StartTileData.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">storagewmi.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">sysmain.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">SystemSettings.Handlers.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">SystemSettingsThresholdAdminFlowUI.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">TaskFlowDataEngine.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">termsrv.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">TextInputMethodFormatter.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">TokenBroker.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">TpmCoreProvisioning.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">tquery.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">tsf3gip.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">twinapi.appcore.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">twinui.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">twinui.pcshell.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">uDWM.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">UIAutomationCore.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">UIRibbon.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">UIRibbonRes.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Unistore.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">UpdateAgent.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">urlmon.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">usbmon.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">UserDataService.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">usermgr.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">VBoxDispD3D.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">VBoxDispD3D.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">VBoxGL.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">VBoxGL.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">VBoxGL-x86.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">VBoxMRXNP.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">VBoxNine.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">VBoxNine.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">VBoxSVGA.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">VBoxSVGA.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">VBoxSVGA-x86.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">vo28gui.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">vssapi.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">wbemcore.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">webplatstorageserver.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">WebRuntimeManager.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">webservices.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">wevtsvc.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">win32spl.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">WindowManagement.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.AI.MachineLearning.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Windows.ApplicationModel.Store.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.CloudStore.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">WindowsCodecs.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">WindowsCodecsRaw.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.Data.Pdf.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.Devices.Bluetooth.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Windows.Devices.Perception.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.Devices.PointOfService.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.Globalization.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Windows.Graphics.Printing.3D.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.Graphics.Printing.Workflow.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.Internal.Signals.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">WindowsInternal.Xaml.Controls.Tabs.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.Media.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.Media.Editing.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Windows.Media.Protection.PlayReady.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.Media.Speech.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.Media.Streaming.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Windows.Mirage.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.Networking.BackgroundTransfer.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.Security.Authentication.Web.Core.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Windows.StateRepository.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">windows.storage.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">windowsudk.shellcommon.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Windows.UI.Cred.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.UI.Immersive.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.UI.Input.Inking.Analysis.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Windows.UI.Input.Inking.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.UI.Logon.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.UI.Shell.Internal.AdaptiveCards.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Windows.UI.Xaml.Controls.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.UI.Xaml.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.UI.Xaml.Maps.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">Windows.UI.Xaml.Phone.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Windows.Web.Http.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">winhttp.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">wininet.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">winmde.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">winmsipc.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">winsetup.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">wlansvc.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">wlidsvc.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">WMNetMgr.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">wmp.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">workfolderssvc.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">WpcDesktopMonSvc.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">Wpc.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">wpncore.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">WsmSvc.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">wsp_fs.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">wsp_health.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">wuaueng.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">wwansvc.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">XblAuthManager.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">XblGameSave.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">XboxNetApiSvc.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">XpsPrint.dll<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">xpsservices.dll<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new sample has been uploaded to VirusTotal, and its characteristics strongly resemble QUARTERRIG, a malware recently analyzed by CERT.PL and linked to APT29. In said analysis, the campaign was named &#8220;Note&#8220;. Based on the aforementioned report, the purpose of this post is to show the new features of this new campaign that we named [&hellip;]<\/p>\n","protected":false},"author":20,"featured_media":2226,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[21],"tags":[66],"class_list":{"0":"post-2162","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-apt","8":"tag-apt29","9":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/Image20230524184428-600x400.jpg","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/Image20230524184428-600x600.jpg","author_info":{"display_name":"Er1c_C","author_link":"https:\/\/lab52.io\/blog\/author\/er1c_c\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2162"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=2162"}],"version-history":[{"count":72,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2162\/revisions"}],"predecessor-version":[{"id":2308,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2162\/revisions\/2308"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/2226"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=2162"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=2162"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=2162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}