Keypoints
- Initial delivery: phishing emails (Portuguese) lure users to run a Visual Basic script that downloads a legitimate VMware executable and a malicious DLL.
- Attack technique: attackers use vmnat.exe (VMware) to sideload a payload masquerading as vcruntime140.dll, leveraging a signed legitimate binary to reduce detection noise.
- Detection rule 1: identify files named VCRUNTIME140.dll that lack signatures or whose signer is not “Microsoft Corporation”.
- Detection rule 2: flag VCRUNTIME140.dll files that import mscoree.dll!_CorDllMain, indicating a managed (.NET) DLL rather than a native runtime DLL.
- Limitations: Yara cannot validate the cryptographic validity of a PE signature; an illegitimately issued certificate could bypass simple issuer checks.
- Tools: THOR-Lite can scan environments with the shared Yara rules; THOR offers deeper scanning and additional modules for enterprise environments.
- IOCs: the article lists numerous SHA256 sample hashes for the malicious DLLs used in the investigation.
MITRE Techniques
- [T1566] Phishing – Initial delivery used phishing emails to trick users into executing a Visual Basic script (‘Their initial attack involves a phishing email, mainly in Portuguese language.’)
- [T1574.001] DLL Search Order Hijacking (DLL sideloading) – Attackers used vmnat.exe to load a malicious vcruntime140.dll under a legitimate component name (‘they used vmnat.exe, a component of VMWare, to load their payload posing as vcruntime140.dll.’)
- [T1218] Signed Binary Proxy Execution – The campaign leverages a legitimately signed VMware executable to execute the malicious DLL, reducing noisy behaviors (‘Since they use a legitimately signed VMWare executable to load the DLL, the process is much less noisy…’)
Indicators of Compromise
- [SHA256] Malware sample hashes – b4bc73dfe9a781e2fee4978127cb9257bc2ffd67fc2df00375acf329d191ffd6, 4c9f5d36ceeae70848cdca9329cee05c43421a64d1d992593953a257c6901505, and many more listed in the post.
- [File name] Loader and payload – vmnat.exe (VMware component used to sideload), vcruntime140.dll (malicious payload name used for sideloading).
The technical chain begins with a phishing email that convinces a user to run a Visual Basic script; that script downloads a legitimate VMware executable (vmnat.exe) alongside a malicious DLL named vcruntime140.dll. Attackers exploit DLL sideloading by placing the malicious DLL where the signed vmnat.exe will load it, allowing execution with the trusted binary and reducing anomalous behaviors that could trigger alerts.
Detection is implemented with concise Yara rules: one rule checks for filename == “VCRUNTIME140.dll” and flags files with no PE signatures or whose first signature issuer does not contain “Microsoft Corporation” (pe.number_of_signatures == 0 or not pe.signatures[0].issuer contains “Microsoft Corporation”), excluding Wine-specific DLLs to reduce false positives. A second rule targets managed payloads by checking the PE imports for mscoree.dll and the _CorDllMain entry (pe.imports(“mscoree.dll”, “_CorDllMain”)), since legitimate native vcruntime140.dll copies will not import the .NET CLR initialization function.
Operational notes: Yara cannot cryptographically validate a signature’s authenticity, so an illegitimate certificate that claims to be from Microsoft may bypass issuer checks and should be caught by complementary detections; defenders are advised to scan environments with THOR-Lite using the shared Yara rules and to consult the provided SHA256 IOCs for hunting and containment.
Read more: https://www.nextron-systems.com/2023/09/15/detecting-janelarat-with-yara-and-thor/