Threat actors are leveraging DLL sideloading in legitimate Microsoft applications to deliver a Cobalt-Strike beacon. The dropped DLL is loaded from application folders and communicates with a C2 URL hosted on CloudFront to enable beacon operations.
#QakBot #CobaltStrike #DLLSideloading #MicrosoftTeams #OneDrive #CloudFront
#QakBot #CobaltStrike #DLLSideloading #MicrosoftTeams #OneDrive #CloudFront
Keypoints
- DLL sideloading is used to infect users via legitimate applications loading malicious DLLs that spoof legitimate ones.
- A malicious document uses AutoOpen macro execution to run the payload after macros are enabled.
- The malware identifies the path of OneDrive and Teams, then drops a DLL in those paths (renamed to iphlpapi.dll).
- The dropped DLL creates a mutex to avoid multiple instances and uses a C2 channel to communicate with a CS beacon URL.
- C2 and beacon activity are observed via the URL d2xiq5m2a8wmm4.cloudfront.net/communications.
- Targets include a company in Italy providing Credit Servicing, Fund/Asset Management, and Real Estate services.
- Recommendations emphasize basic controls, user education, network beacon monitoring, and DLP to mitigate such attacks.
MITRE Techniques
- [T1204] User Execution β βWhen opening the malicious document, it shows a security warning stating that macros have been disabled. The malware then requests the user to enable the content.β
- [T1140] Deobfuscate/Decode Files or Information β βThe embedded DLL file contains an embedded DLL file in reversed Base64 encoded format. The malware then calls the GetParagraph() function, which gets the Base64 encoded strings and performs the StrReverse and Base64Decode operations to drop the malicious DLL fileβ¦β
- [T1574] Hijack Execution Flow: DLL Side-Loading β βDLL sideloading is a technique used by Threat Actors to infect users using legitimate applications which load malicious DLL files that spoof legitimate ones.β
- [T1564] Hide Artifacts: VBA Stomping β βThe malware then runs the macro code automatically in the background using the AutoOpen() function.β
- [T1071] Application Layer Protocol β βthe malware communicates to the C&C server using the below URL: d2xiq5m2a8wmm4.cloudfront[.]net/communications.β
Indicators of Compromise
- [MD5] Malicious Doc β 697ac31e2336c340e46ae8a777f51cdb
- [SHA-1] Malicious Doc β 91bd5585383685b82af8e801ce8f43586a797f49
- [SHA-256] Malicious Doc β 92e7395073c6588e1d8172148525144189c3d92ed052a163b8f7fad231e7864c
- [MD5] Sideloaded DLL β 6e1e6194dd00f88638d03db3f74bb48a
- [SHA-1] Sideloaded DLL β d4a3050246d30a26671d05b90ffa17de39d5e842
- [SHA-256] Sideloaded DLL β ee56e43ed64e90d41ea22435baf89e97e9238d8e670fc7ed3a2971b41ce9ffaf
- [URL] Cobalt-Strike C2 URL β d2xiq5m2a8wmm4.cloudfront[.]net/communications
- [URL] Download URL β hxxps://laureati-prelios.azureedge[.]net/forms/Modulo_Testimone_Universitario_v3.doc
Read more: https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/