Malware à la Mode: Tracking Dropping Elephant Tradecraft Through a China-Themed Loader Chain

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – The malicious GRES3001.lnk served as the initial lure artifact delivered to the victim [‘Malicious GRES3001.lnk used as the initial lure artifact’]
• [T1204.002] User Execution: Malicious File – The attack began when the user opened the malicious shortcut [‘User opens GRES3001.lnk’]
• [T1059.001] Command and Scripting Interpreter: PowerShell – The shortcut spawned an obfuscated PowerShell downloader through conhost.exe [‘LNK launches conhost.exe, which starts the PowerShell downloader’]
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The RAT’s cmx handler executed commands through cmd.exe [‘Runs cmd.exe /c chcp 65001 | and captures stdout’]
• [T1053.005] Scheduled Task/Job: Scheduled Task – A task named GoogleErrorReport was created to run Fondue.exe every minute [‘GoogleErrorReport runs C:UsersPublicFondue.exe every minute’]
• [T1574.002] Hijack Execution Flow: DLL Side-Loading – Fondue.exe loaded the malicious APPWIZ.cpl staged beside it [‘Fondue.exe loads the malicious APPWIZ.cpl staged alongside it’]
• [T1036.005] Masquerading: Match Legitimate Name or Location – The campaign used spoofed names and trusted paths to blend in [‘Edge icon spoofing, GoogleErrorReport task name, staging in C:UsersPublic’]
• [T1027] Obfuscated Files or Information – Junk extensions, string-splitting, encrypted payloads, and encoded fields were used to hide content [‘Junk file extensions, string splitting, encrypted payload container, encoded C2 fields’]
• [T1620] Reflective Code Loading – Donut mapped the final PE in memory without writing it to disk [‘Donut maps the final PE in memory without writing it to disk’]
• [T1562.001] Impair Defenses: Disable or Modify Tools – The implant patched AMSI, WLDP, and ETW inside the process [‘Donut patches in-process AMSI and WLDP functions before payload execution’]
• [T1497.001] Virtualization/Sandbox Evasion: System Checks – The RAT checked for CPUID, VM artifacts, processes, and public-IP geolocation [‘CPUID, VM artifact, process blacklist, and public-IP geolocation checks’]
• [T1057] Process Discovery – The malware enumerated running processes and reported them in the beacon [‘RAT enumerates running processes and sends the process list in mkeoldkf’]
• [T1082] System Information Discovery – The RAT collected username, computer name, OS version, and host profile fields [‘RAT collects username, computer name, OS version, and host profile fields’]
• [T1016] System Network Configuration Discovery – The implant used api.ipify.org to determine the public IP address [‘RAT obtains public IP through api.ipify.org’]
• [T1614] System Location Discovery – The RAT queried ip2c.org for country and geolocation [‘RAT queries ip2c.org for country/geolocation’]
• [T1083] File and Directory Discovery – The fl handler recursively enumerated files on the system [‘fl handler enumerates files’]
• [T1113] Screen Capture – The sc handler captured the virtual screen and encoded it for exfiltration [‘sc handler captures the virtual screen with BitBlt and encodes it with WIC’]
• [T1005] Data from Local System – The RAT uploaded files and enumerated local files for collection [‘uf handler exfiltrates files; fl handler lists local files’]
• [T1071.001] Application Layer Protocol: Web Protocols – The RAT used HTTPS for C2 traffic over port 443 [‘HTTPS C2 traffic to gcl-power[.]org’]
• [T1132.001] Data Encoding: Standard Encoding – C2 fields were wrapped with Base64 encoding [‘C2 fields use Base64 wrapping’]
• [T1573.001] Encrypted Channel: Symmetric Cryptography – The C2 content was protected using Salsa20 [‘C2 field content is protected with Salsa20’]
• [T1105] Ingress Tool Transfer – The campaign downloaded staged payloads and used download-and-execute behavior [‘Initial staging downloads and dw download-and-execute capability’]
• [T1041] Exfiltration Over C2 Channel – Host data, screenshots, command output, and files were sent over the C2 channel [‘Host fingerprinting, screenshots, command output, and files leave over the C2 channel’]