Palo Alto Networks’ analytics uncovered a sophisticated threat operation centered on the Popping Eagle malware family, with a Go-based second stage (Going Eagle) used for control and lateral movement. The campaign abused DLL hijacking to load a proxy DLL, established C2 communications, and conducted network scans and credential dumping, all while attempting to blend in with signed applications. #PoppingEagle #GoingEagle #DLLHijacking #BarcoNV #DNSzonetransfer #ReportErrorNet
Keypoints
- Analytical detectors identified a previously unknown threat actor cluster dubbed “Popping Eagle” with a Go-based second stage named “Going Eagle.”
- The operation relies on DLL Search Order Hijacking via a loader DLL (uxtheme.dll) proxied in the clicksharelauncher.exe directory, creating a signed-like loading impression.
- The first-stage malware communicates with a C2 domain, dnszonetransfer[.]com, and later contacts reporterror[.]net, using a Go-based proxy tool for control.
- The attacker uses a reverse SOCKS proxy (Going Eagle) to pivot and tunnel commands across the network.
- Lateral movement employs WMI (wmiexec), PsExec, and RDP, with extensive discovery commands and credential access attempts (LSASS, secretsdump).
- IoCs include specific DLLs and domains/IPs; Yara rules and Cortex XDR/WildFire detections helped reveal related activity.
- Attribution remains uncertain due to bespoke tooling and tight victim tailoring, but diagnostics emphasize anomaly-based detection over traditional IOC hunting.
MITRE Techniques
- [T1574.001] DLL Search Order Hijacking – “This is a classic example of DLL Search Order Hijacking; clicksharelauncher.exe tries to load uxtheme.dll from the current directory before %windir%SysWOW64, so it loads the attacker’s DLL instead of Microsoft’s DLL.”
- [T1218] Signed Binary Proxy Execution – “Loaded the second-stage DLL, Going Eagle (ClickRuntime-amd86.dll)”
- [T1071.001] Web Protocols – “The infected host got the first command from 51.38.89[.]53” and “Sends a POST request to the URL with a hardcoded old Linux user agent and message.”
- [T1071.004] DNS – “Dynamic Resolution… The attacker changed IP resolution for dnszonetransfer[.]com to 51.38.89[.]53”
- [T1090] Proxy – “Attacker machine was tunneled using the SOCKS proxy”
- [T1021.006] Windows Management Instrumentation – “Remote WMI process execution”
- [T1003] Credential Dumping – “LSASS Memory” and “secretsdump” attempts on domain controllers, with related detections shown in the timeline.
Indicators of Compromise
- [SHA256] File hashes – e5e89d8db12c7dacddff5c2a76b1f3b52c955c2e86af8f0b3e36c8a5d954b5e8, 95676c8eeaab93396597e05bb4df3ff8cc5780ad166e4ee54484387b97f381df, and 2 more hashes
- [FileName] uxtheme.dll, ClickRuntime-amd86.dll
- [Domain] dnszonetransfer[.]com, reporterror[.]net
- [IP] 51.38.89[.]53, 51.75.57[.]245
- [URL] hxxps[:]//dnszonetransfer[.]com/Protocol/extensions.php
- [User Agent] Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
- [FileName] CoL_Final_Lib.dll, uxtheme.dll, ClickRuntime-amd86.dll
Read more: https://unit42.paloaltonetworks.com/popping-eagle-malware/