OysterLoader Unmasked: The Multi-Stage Evasion Loader

MITRE Techniques

• [T1204.002 ] User Execution: Malicious File – Delivery via fake signed MSI installers impersonating legitimate software to induce user installation (‘distributed mainly through fake websites that copy legitimate software. It is disguised as a software installer and serves as a MicroSoft Installer (MSI). the MSI is often signed to appear benign.’)
• [T1036 ] Masquerading – Use of fake sites and legitimate-looking installers to impersonate trusted applications (‘fake websites that copy legitimate software… disguised as a software installer’).
• [T1027.006 ] Steganography – Hiding the next-stage PE inside an icon image returned by C2 and extracting/decrypting it (‘the C2 responds with an image … the malware uses steganography to hide the next stage payload as an icon’).
• [T1027 ] Obfuscated Files or Information – Custom LZMA implementation, non-standard headers/bitstream, API hashing and heavy code obfuscation to evade analysis (‘custom LZMA decompression routine with a non-standard header and modified bitstream’; ‘dynamically imported APIs… each sample uses a slightly different hashing algorithm’).
• [T1105 ] Ingress Tool Transfer – Downloading and writing a retrieved PE to disk (COPYING3.dll) and executing it (‘Once decrypted the PE is written into a file name COPYING3.dll in the %APPDATA% directory’).
• [T1055 ] Process Injection – Allocating RWX memory and copying/executing shellcode and staged payloads in-memory (‘it allocates a memory area with necessary permissions (Read, Write, Execute) and makes a raw copy of the data in the newly allocated memory’).
• [T1140 ] Deobfuscate/Decode Files or Information – RC4 decryption of stego payloads and custom Base64 decoding for C2 messages (‘it decrypts the data using RC4 algorithm along with a hardcoded key’; ‘JSON completely encoded with a custom algorithm based on Base64 encoding’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – Use of HTTP/HTTPS for C2 communication, registration (/reg), login (/login) and beaconing endpoints (‘communicates over HTTPS, the first message acts as a registration as indicated by the C2 URL (/reg)’; ‘All traffic uses WinINet APIs … exchanges data in JSON format’).
• [T1053.005 ] Scheduled Task/Job – Persistence via a scheduled task that runs rundll32 to call the dropped DLL every 13 minutes (‘the DLL is executed by the task scheduler… task name COPYING runs every 13 minutes … rundll32.exe … COPYING3.dll DllRegisterServer’).
• [T1218.011 ] Signed Binary Proxy Execution: Rundll32 – Using rundll32.exe to execute the dropped DLL (‘rundll32.exe C:…COPYING3.dll DllRegisterServer’).
• [T1497.001 ] Virtualization/Sandbox Evasion: Debugger Detection – Anti-debug check using IsDebuggerPresent leading to infinite loop to hinder analysis (‘IsDebuggerPresent() check; if a debugger is detected, the malware enters an infinite loop (while(1);)’) .
• [T1057 ] Process Discovery – Counting running processes and enforcing an execution threshold (exits if below 60 processes) (‘EnumProcess to count the number of running processes, if the count is below 60, the malware exits’).
• [T1082 ] System Information Discovery – Exfiltration of host fingerprint (username, computer name, running processes, OS version) in JSON to C2 (‘the first data that is sent to the C2 is a JSON … contains … a3 username … a4 computer name …’ and annexed fingerprint example).