Security researchers at Sophos have uncovered a string of incidents whereby attackers make use of DLLs to execute malicious code and create backdoors into organisations.
The malware has been dubbed KillSomeOne thanks to folder names in the within the program database path.
Sophos has discovered four different sideloading scenarios. Of those, two make use of a simple shell while the other two can install and execute a payload while collecting data on a target.
The security firm says that similarities in how KillSomeOne side-loads point to a possible association with Chinese threat actors. In fact, the methods used are similar to the PlugX backdoor.
Another reason Sophos believes those responsible for this malware are Chinese is that the attacks were targeted at NGOs and other organisations within Myanmar.
Sophos also discovered strings of plain text in the malware’s code. Hell, one of encryption keys is “HELLO_USA_PRISIDENT”.
So how does it work?
KillSomeOne loads an installer onto memory using the malicious DLL which is downloaded in a shell.
The installer then hides its files so the user is non-the-wiser.
“The installer then closes the executable used in the initial stage of the attack, and starts a new instance of explorer.exe to side-load the dropped DLL component. This is an effort to conceal the execution, since the targeted system’s process list will only show another explorer.exe process (and not the renamed clean executable, which might stand out upon examination),” Sophos explained in a blog.
From there the malware creates a folder within the Recycle Bin that contains a list of sub-folder files, system information and even volume names.
“This is an intriguing new discovery and a good reminder that the operators behind advanced targeted attacks rarely are a homogeneous pool or even see themselves as a single entity. Individual contributors come with very different skill sets and capabilities. Some of them are highly adept, while others are little more than your average cybercriminal,” says threat research director at Sophos, Gabor Szappanos.
“The group responsible for the ‘KilllSomeOne’ attacks doesn’t fall clearly at either end of the spectrum. For instance, the perpetrators opted for fairly simple implementations in coding—especially in encrypting the payload—and the messages hidden in their samples are what you’d expect from script kiddies. On the other hand, the targeting and deployment is that of a serious APT group. It’s not clear from our analysis whether this group will eventually return to more traditional implants like PlugX or keep going with its own code,” adds Szappanos.
As the threat research director points out, cybercriminals are a willy bunch and assuming you know what they are doing is dangerous.
With this in mind it seems pertinent to remind you to be cautious of the sites you visit and if something looks suspicious, trust your instinct or speak to a friend or colleague who can help.
[Image – CC 0 Pixabay]