{"id":2707,"date":"2024-05-28T16:41:09","date_gmt":"2024-05-28T14:41:09","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=2707"},"modified":"2024-05-28T16:48:08","modified_gmt":"2024-05-28T14:48:08","slug":"dll-side-loading-through-iobit-against-colombia","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/dll-side-loading-through-iobit-against-colombia\/","title":{"rendered":"DLL Side Loading through IObit against Colombia"},"content":{"rendered":"\n

Early in May 2024, S2 Grupo’s intelligence unit, Lab52, detected a new phishing campaign in which attackers impersonated the Colombian Attorney General’s Office. The attack aims to infect victims’ systems with the generic malware artefact AsyncRAT. To do so, it deploys a series of malicious files, including the legitimate file of the free IObit anti-malware solution used to execute the rest of the artefacts and initiate the infection using the DLL side-loading technique.<\/p>\n\n\n\n

Although the beacon, the objectives, and the artefacts used by the attackers match with those known to be used by APT-C-36, the kill-chain does not correspond with the one used by the actor in their latest campaigns. Therefore, this could mean a modification of their Tactics, Technics, and Procedures.<\/p>\n\n\n\n

This time, the threat actor employs a ZIP file containing four relevant documents: an IObit antivirus legitimate file, a malicious BPLfile, which is a type of DLL for AutoCAD, a malicious M4A file which is an Apple audio file, and a malicious VCF text format file. The attackers use the HijackLoader malware to execute the malicious artefacts.<\/p>\n\n\n\n

\"\"
Current infection chain<\/figcaption><\/figure><\/div>\n\n\n\n

The following figure represents the infection chain employed by the APT-C-36 threat actor in recent years, as explained in this Lab52 publication.<\/p>\n\n\n\n

\"\"
Prior APT-C-36 infection chain<\/figcaption><\/figure><\/div>\n\n\n\n

The figure below shows two decoys used by the attackers. On the left, is the decoy used in the new campaign discovered by Lab52. On the right, is an APT-C-36 campaign from July 2022.<\/p>\n\n\n\n

\"\"
Decoy used in the campaign<\/figcaption><\/figure><\/div>\n\n\n\n

Killchain<\/h1>\n\n\n\n

The infection starts with the file \u201c08 CITACION DEMANDA.zip\u201d which contains the files: a legitimate executable signed as IObit RttHlp \u201c08 CITACION DEMANDA.exe\u201d, \u201cRegister.dll\u201d, \u201cvcl120.bpl\u201d, \u201cdreamland.m4a\u201d and \u201ccutcherry.vcf\u201d and on execution, all files, except for the executable are copied to C:\\Users\\XXXX\\AppData\\Roaming\\WUKApp.<\/p>\n\n\n\n

\"\"
Files droped by the ZIP<\/figcaption><\/figure><\/div>\n\n\n\n

In the same way as other HijackLoader infections, the first-stage executable \u201c08 CITACION DEMANDA.exe\u201d loads the malicious DLL \u201cvcl120.bpl\u201d through DLL Side Loading.  Then, the DLL creates a cmd.exe process that starts a suspended MSBuild process.<\/p>\n\n\n\n

\"\"
Highlighted processes<\/figcaption><\/figure><\/div>\n\n\n\n

The loader manages the process explained above through the files contained in the zip. It will deobfuscate and use \u201cdreamland.m4a\u201d in order to inject a shellcode into memory. It will then perform the same process with \u201ccutcherry.vcf\u201d. Finally, the loader injects into the previously created \u201cMSBuild.exe\u201d the AsyncRAT contained in \u201ccutcherry.vcf\u201d via Process Hollowing. The communications with the C2 were detected through this process.<\/p>\n\n\n\n

During the execution process, we managed to detect the use of the mutex AsyncMutex_6SI8OkPnk and the creation of other processes, such as a PowerShell:<\/p>\n\n\n\n

\"\"
Detailed procces execution <\/figcaption><\/figure><\/div>\n\n\n\n

In order to obtain persistence, the attackers followed through with two different mechanisms that load the executable file uncopied before to the secondary folder. In the first place, via the creation of a link file on the user’s home folder \u201cchromeHttp_zx_test\u201d.<\/p>\n\n\n\n

\"\"
LNK to load on Startup<\/figcaption><\/figure>\n\n\n\n

Furthermore, the attackers also created a scheduled task called \u201cmlt_Archive\u201d:<\/p>\n\n\n\n

\"\"
Scheduled task created<\/figcaption><\/figure><\/div>\n\n\n\n

Conclusions<\/h1>\n\n\n\n

This article analyses a new campaign detected in Colombia. In this campaign, we found several similarities with previous decoys and malware used by APT-C-36. Therefore, we might find ourselves before a new kill-chain used by this group.<\/p>\n\n\n\n

As a side note, campaigns using RATs, such as AsyncRAT, are commonly found in attacks against Colombian entities as we analysed in our previous blog<\/a>.<\/p>\n\n\n\n

Indicators of compromise<\/h1>\n\n\n\n
08 CITACION DEMANDA.zip<\/td>ab731fe108986f53117e09272f12701a77e013d8<\/td><\/tr>
08 CITACION DEMANDA.exe<\/td>22afcdc180400c4d2b9e5a6db2b8a26bff54dd38<\/td><\/tr>
cutcherry.vcf<\/td>931c51eed1716a0dddeb005899efd16a79a22782<\/td><\/tr>
dreamland.m4a<\/td>a31edd70cb923893c736b633806e294a66ffbd41<\/td><\/tr>
Register.dll<\/td>8fb5da182dea64c842953bf72fc573a74adaa155<\/td><\/tr>
rtl120.bpl<\/td>e6ccaf016fc45edcdadeb40da64c207ddb33859f<\/td><\/tr>
vcl120.bpl<\/td>1e387320704c8b94c41df2409e79c67a030018c4<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"

Early in May 2024, S2 Grupo’s intelligence unit, Lab52, detected a new phishing campaign in which attackers impersonated the Colombian Attorney General’s Office. The attack aims to infect victims’ systems with the generic malware artefact AsyncRAT. To do so, it deploys a series of malicious files, including the legitimate file of the free IObit anti-malware […]<\/p>\n","protected":false},"author":29,"featured_media":2723,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[21,16],"tags":[80,29],"class_list":{"0":"post-2707","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-apt","8":"category-ttp","9":"tag-asyncrat","10":"tag-colombia","11":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2024\/05\/1024-600x400.jpg","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2024\/05\/1024-600x600.jpg","author_info":{"display_name":"Erlebnis","author_link":"https:\/\/lab52.io\/blog\/author\/erlebnis\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2707"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=2707"}],"version-history":[{"count":5,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2707\/revisions"}],"predecessor-version":[{"id":2722,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2707\/revisions\/2722"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/2723"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=2707"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=2707"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=2707"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}