Threat Research

Unknown Malware Using Azure Functions as C2

DmpDump

A malicious ISO named Servicenow-BNM-Verify.iso uploaded from Malaysia contains a benign Palo Alto executable that side-loads a hidden malicious DLL (libwaapi.dll) which injects and executes a compressed, obfuscated DLL that phones home to logsapi.azurewebsites[.]net. LNK metadata reveals creator machine and user details (desktop-rbg1pik, john.GIB) and points to a development path suggesting the actor tested the chain locally. #libwaapi.dll #logsapi.azurewebsites.net

Keypoints

  • The uploaded ISO (Servicenow-BNM-Verify.iso) contains four files including a shortcut (servicenow-bnm-verify.lnk), a legitimate Palo Alto executable (PanGpHip.exe), a legitimate OpenSSL DLL (libeay32.dll), and a hidden malicious DLL (libwaapi.dll).
  • servicenow-bnm-verify.lnk execution falls back to the ISO directory and launches PanGpHip.exe, enabling DLL side-loading of the hidden libwaapi.dll.
  • LNK metadata discloses the origin machine (desktop-rbg1pik), user (john.GIB), and creation timestamp (08/25/2025 04:39:00 UTC), indicating actor development/testing environment paths (C:Usersjohn.GIBDesktopexcludedpaloaltoPanGpHip.exe).
  • libwaapi.dll’s exported wa_api_setup hides the console, creates a mutex (47c32025), and if absent, invokes an injection routine that decrypts and injects a payload into the legitimate chakra.dll in System32.
  • The injection flow: compute SHA-256 of “rdfY*&689uuaijs” (used as RC4 key), deobfuscate “chakra.dll”, find an executable section, make it writable, base64-decode and RC4-decrypt the payload, verify SHA-256 integrity, restore execution permissions, and run the payload.
  • The injected shellcode decompresses an embedded LZNT1-compressed DLL (decompressed DLL SHA2: c0fc5e…), which appears obfuscated, implements module unhooking, and sends encrypted XML-formatted victim profile data to logsapi.azurewebsites[.]net via POST requests to Azure Functions.
  • Related sample: another DLL with imphash B74596632C4C9B3A853E51964E96FC32 (SHA2: 28e85f…) was uploaded from Singapore on 2025-09-05 and shows strong similarities, suggesting reuse or variants by the same actor.

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The ISO contains multiple files including a shortcut and DLLs transferred via the Servicenow-BNM-Verify.iso uploaded to VirusTotal (“Servicenow-BNM-Verify.iso was uploaded to VirusTotal”).
  • [T1566.001] Phishing: Spearphishing Attachment – The use of a delivered ISO containing a shortcut and executable suggests delivery via an attachment-like artifact (“An ISO named Servicenow-BNM-Verify.iso was uploaded… contains servicenow-bnm-verify.lnk”).
  • [T1203] Exploitation for Client Execution – The LNK file executes PanGpHip.exe which then causes execution of a malicious DLL via side-loading (“servicenow-bnm-verify.lnk only executes the legitimate Palo Alto executable… the LNK falls back to its same directory, where PanGpHip.exe also resides”).
  • [T1574.002] DLL Side-Loading – A legitimate Palo Alto executable loads a malicious libwaapi.dll from the same directory, enabling malicious code execution (“The presence of hidden DLLs and a legitimate executable is typically indicative of DLL side-loading”).
  • [T1055.001] Process Injection: Dynamic-link Library Injection – The malicious libwaapi.dll performs in-memory injection into a loaded chakra.dll section via ZwProtectVirtualMemory and writes the decrypted payload (“the injector then proceeds to base64-decode a payload… RC4 decrypted… written to the DLL… memory permission is restored… execute the injected payload”).
  • [T1107] File Deletion (anti-forensics hint) – The malicious component zeroes out the target section before writing the payload (“the content is zeroed out” when preparing the target section in chakra.dll).
  • [T1027] Obfuscated Files or Information – The final payload and embedded DLL are obfuscated, compressed (LZNT1) and use custom RC4 and base64 schemes (“embedded payload… processed by RtlDecompressBuffer… maximum compression for LZNT1” and “it is RC4 decrypted with the previously computed key”).
  • [T1041] Exfiltration Over C2 Channel – The final payload sends victim profile data in encrypted POST requests to logsapi.azurewebsites[.]net (“implements a loop to the C2, sending a POST request with victim profile data to logsapi.azurewebsites[.]net/api/logs”).
  • [T1497.003] Virtualization/Sandbox Evasion: Timing/Resource Checks (evasion) – The injected payload implements module unhooking to avoid detection during execution (“string review via emulation suggests that the DLL implements module unhooking to avoid detection”).

Indicators of Compromise

  • [File Hashes] ISO and contained files – Servicenow-BNM-Verify.iso: 0ba328aeb0867def650694c5a43fdd47d719c6b3c55a845903646ccdbf3ec239; servicenow-bnm-verify.lnk: 9e312214b44230c1cb5b6ec591245fd433c7030cb269a9b31f0ff4de621ff517.
  • [File Hashes] DLLs and executable – libwaapi.dll: b03a2c0d282cbbddfcf6e7dda0b4b55494f4a5c0b17c30cd586f5480efca2c17; libeay32.dll: 1fa3e14681bf7f695a424c64927acfc26053ebaa54c4a2a6e30fe1e24b4c20a8; PanGpHip.exe: b778d76671b95df29e15a0af4d604917bfba085f7b04e0ce5d6d0615017e79db.
  • [File Hashes] Injected/decompressed payloads – Decrypted shellcode hash: 550c27fd8dc810df2056f1ec4a749a94ab4befc8843ba913c5f1197ef381a0a5; Decompressed DLL: c0fc5ec77d0aa03516048349dddb3aa74f92cfe20d4bca46205f40ab0e728645; related DLL: 28e85fd3546c8ad6fb2aef37b4372cc4775ea8435687b4e6879e96da5009d60a.
  • [Domain] C2 endpoint – logsapi.azurewebsites[.]net – receives encrypted POSTs containing victim profile XML (“sending a POST request with victim profile data to logsapi.azurewebsites[.]net/api/logs”).
  • [File Paths / Metadata] LNK target and creator info – Local path in LNK: C:Usersjohn.GIBDesktopexcludedpaloaltoPanGpHip.exe; NetBIOS: desktop-rbg1pik; MAC: 7c:21:4a:29:5e:9f; UUID timestamp: 08/25/2025 04:39:00 UTC.

Read more: https://dmpdump.github.io/posts/AzureFunctionsMalware/