![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/08\/Captura-de-pantalla-de-2020-05-19-17-05-20-2.png\")
<\/figure><\/div>\n\n\n\nAfter deploying the three files, the installer runs the legitimate binary, causing the final PlugX threat to be loaded by it.<\/p>\n\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/08\/Captura-de-pantalla-de-2020-05-19-17-07-14-3.png\")
<\/figure><\/div>\n\n\n\nIn this case, the legitimate vulnerable binary is part of Adobe’s Swite which will load any library named “hex.dll” that is next to the executable.<\/p>\n\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/08\/Captura-de-pantalla-de-2020-05-19-17-21-53-2.png\")
<\/figure><\/div>\n\n\n\nThat hex.dll, in this case is a very simple and relatively small loader:<\/p>\n\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/08\/Captura-de-pantalla-de-2020-05-19-17-11-06-2.png\")
<\/figure><\/div>\n\n\n\n\nIt has 4 exports that return 0 without doing anything, the Main\nfunction of the library, on the other hand, calls a function that\nchecks the existence of the .dat file which is hardcoded\n(adobeupdate.dat in this case), loads it, extracts the first string\nof the binary and uses it as XOR key to decode the rest of the file,\nwhich consists on the final threat.<\/p>\n\n\n\n
The following code<\/a> in python imitates the logic of decoding:<\/p>\n\n\n\n \nWhen it finishes deciphering it, it loads the malware into memory,\nmakes a \u201cMemprotect\u201d to make it executable and launches its logic\nfrom the byte 0 of the binary.<\/p>\n\n\n\n It is a functional PE, so this should not work, since it starts with the “MZ” header of a normal binary:<\/p>\n\n\n\n \nBut in this case it uses a technique already seen before in tools\nlike the Cobalt Strike Beacon that by modifying some bytes of the MZ\nheader, it becomes meaningful executable code.<\/p>\n\n\n\n If we open the binary as a shellcode (de-compiling from byte 0) we see how they have modified the first bytes into a routine that jumps to a code zone, consisting of a PE loader:<\/p>\n\n\n\n \nAfter loading the IAT and leaving everything ready as a normal\nexecutable, this threat decrypts its own config, which is encrypted\nin XOR in the .data section of the binary. This time the decryption\nkey is hardcoded in the binary, and is the string “123456789”.<\/p>\n\n\n\n After\ndecrypting its configuration, it contains the folder where the binary\nmust be installed, a XOR key that will use to encrypt it\u2019s traffic\nand a list of up to 4 domains or IP addresses of command and control\nservers together with the port to be used. Generally the 4 C2\nelements consists of the same domain repeated 4 times or 2 domains\nrepeated twice each.<\/p>\n\n\n\n After the analysis, both the loader in DLL format and the final encrypted threat (after decryption) have been compared with different campaign samples of groups known to use this dll sideload technique, and it has been possible to verify how both the loader and the final threat coincide in a high percentage with the samples of the “Mustang Panda” group analyzed in the following reports [1]<\/a> [2]<\/a> [3]<\/a>. In fact, the loader of this campaign is able to load and run the samples of the campaigns analyzed in those reports, and the final threat uses exactly the same XOR key to decipher its configuration as the samples in those reports, so there is a high probability that it is a new campaign from this same group. <\/p>\n\n\n\n This particular sample has the domains “www.destroy2013.]com” and “www.fitehook.]com” as c2 servers, and we have seen that they have a very characteristic behavior, since most of the day they resolve to 127.0.0.1, but from 1-3 AM (UTC) to 8-9 AM (UTC) it resolves to the IP “107.150.112.]250, except for weekends that it resolves constantly to 127.0.0.1, which could indicate that it is a campaign that is focused on a time zone in which those hours are working hours.<\/p>\n\n\n\n Recently, from Lab52 we have detected a recent malware sample, using the Dll-Sideload technique with a legitimate binary, to load a threat. This particular sample has a very small DLL, that loads an encrypted file, which after being decrypted consists of a sample of the PlugX Trojan. This technique, and final threat together, consists of […]<\/p>\n","protected":false},"author":5,"featured_media":879,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-896","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-uncategorised","8":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/08\/panda-1-600x400.jpg","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/08\/panda-1-600x600.jpg","author_info":{"display_name":"JagaimoKawaii","author_link":"https:\/\/lab52.io\/blog\/author\/jagaimokawaii\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/896"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=896"}],"version-history":[{"count":4,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/896\/revisions"}],"predecessor-version":[{"id":916,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/896\/revisions\/916"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/879"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=896"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=896"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=896"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/08\/Captura-de-pantalla-de-2020-05-19-17-27-10-2.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/08\/Captura-de-pantalla-de-2020-05-19-17-29-56-2.png\")
<\/figure><\/div>\n\n\n\n![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2019\/08\/Captura-de-pantalla-de-2020-05-19-17-32-07-2.png\")
<\/figure><\/div>\n\n\n\nIP<\/td> 81.16.28.]30<\/td><\/tr> IP<\/td> 107.150.112.]250<\/td><\/tr> DOMAIN<\/td> www.destroy2013.]com<\/td><\/tr> DOMAIN<\/td> www.fitehook.]com<\/td><\/tr> DOMAIN<\/td> miandfish.]store<\/td><\/tr> SHA256<\/td> c56ac01b3af452fedc0447d9e0fe184d093d3fd3c6631aa8182c752463de570c<\/td><\/tr> SHA256<\/td> 9c0f6f54e5ab9a86955f1a4beffd6f57c553e34b548a9d93f4207e6a7a6c8135<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"