Threat Research

Efficient Distribution of MSC Files Exploiting Amazon Services

Ahnlab

ASEC reports a malicious MSC file abusing Amazon services to deliver and execute payloads, using decoy PDFs and DLL-based components to run malware on victims’ systems. The campaign downloads modules from AWS S3, injects shellcode via a hidden process, and is suspected to be distributed by phishing emails. #MSC #apds.dll #AWS_S3 #Edge.exe #msedge.dll #dllhost.exe #ValleyRAT #ASEC #phishing

Keypoints

  • Malicious MSC files exploit a vulnerability in apds.dll.
  • Payloads are inserted into the <StringTables> section of the MSC file.
  • Malware downloads various files, including ‘msedge.dll’, from AWS S3.
  • Normal PDF files are used as decoys to hide malware execution.
  • Injected ‘dllhost.exe’ connects to external servers to download additional shellcode.
  • Phishing emails are suspected as the distribution method for the malicious files.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – Exploiting a vulnerability in apds.dll to execute malicious payloads. ‘Exploitation of vulnerabilities in software to execute malicious payloads.’
  • [T1071] Command and Control – Communication with external servers to download additional payloads. ‘Communication with external servers to download additional payloads.’
  • [T1547] Persistence – Malware establishes persistence through various downloaded components. ‘Malware establishes persistence through various downloaded components.’
  • [T1562] Defense Evasion – Using legitimate processes and files to hide malicious activities. ‘Using legitimate processes and files to hide malicious activities.’

Indicators of Compromise

  • [MD5] context – 0c93507db212c506fa82ffaadff7e034, 22a4b86bf351bf855b9205bd3255ad5e, 249c2d77aa53c36b619bdfbf02a817e5, 4b643cf1bb43941073fe88ad410da96e, 4ee936e21e154ae7e64e95b4537b0c7c
  • [URL] context – http://152.42.226.161:88/ins.tg, http://api.s2cloud-amazon.com:8080/api/v1/homepage/8deb7837590a7d071096da5f881a3e135ac6651d388615fe79e27104ad8a3a60, http://api.s2cloud-amazon.com:8080/api/v1/homepage/be70dc18937896ab224387bd01892954362339c0baa8f7e0b88bb541273da2c, https://app-dimensiona.s3.sa-east-1.amazonaws.com/oncesvc.exe, https://app-dimensiona.s3.sa-east-1.amazonaws.com/oncesvc.exe.config
  • [IP] context – 104.21.93.214, 172.67.215.77

Read more: https://asec.ahnlab.com/en/82707/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint