DLL Side Loading through IObit against Colombia

Researchers observed a phishing campaign impersonating the Colombian Attorney General’s Office that delivers AsyncRAT via DLL side-loading using a legitimate IObit file. The operation shows HijackLoader-based execution, decoy documents, and persistence methods, indicating a possible new kill-chain variant tied to APT-C-36. #AsyncRAT #APT-C-36 #IObit #Colombia

Keypoints

New phishing campaign impersonates the Colombian Attorney General’s Office and aims to deploy AsyncRAT to victims’ systems.
Attack uses a ZIP bundle containing a legitimate IObit file, a malicious BPL DLL, a malicious M4A, and a malicious VCF file, with HijackLoader executing the artefacts.
The infection chain involves DLL side-loading to load a malicious DLL (vcl120.bpl) from a first-stage executable (08 CITACION DEMANDA.exe).
The loader deobfuscates dreamland.m4a and cutcherry.vcf to inject shellcode, then uses Process Hollowing to inject AsyncRAT into MSBuild.exe and communicate with C2.
Persistence is achieved via a startup shortcut (chromeHttp_zx_test) and a scheduled task named mlt_Archive.
Campaigns show similarities to previous APT-C-36 activities, suggesting a potential evolution of their kill-chain against Colombian entities.
RATs like AsyncRAT are commonly observed in attacks targeting Colombian organizations, per Lab52’s prior analyses.

MITRE Techniques

[T1566.001] Phishing – Attachment – The campaign impersonates an official body and delivers a ZIP with malicious files. ‘The infection starts with the file “08 CITACION DEMANDA.zip” which contains the files: a legitimate executable signed as IObit RttHlp “08 CITACION DEMANDA.exe”…’
[T1218] Signed Binary Proxy Execution – Uses a legitimate signed IObit binary to execute subsequent artefacts. ‘a legitimate file of the free IObit anti-malware solution used to execute the rest of the artefacts’
[T1574.002] DLL Side-Loading – The first-stage executable loads the malicious DLL via DLL Side Loading. ‘The first-stage executable “08 CITACION DEMANDA.exe” loads the malicious DLL “vcl120.bpl” through DLL Side Loading.’
[T1055.012] Process Hollowing – The loader injects AsyncRAT into MSBuild.exe via Process Hollowing. ‘…injects into the previously created “MSBuild.exe” the AsyncRAT contained in “cutcherry.vcf” via Process Hollowing.’
[T1059.001] PowerShell – A PowerShell process is created during execution. ‘During the execution process, we managed to detect the use of the mutex AsyncMutex_6SI8OkPnk and the creation of other processes, such as a PowerShell:’
[T1547.001] Boot or Logon Autostart Execution – Startup Folder – A link file was created in the user’s home folder to load on startup. ‘LNK to load on Startup’
[T1053.005] Scheduled Task – A scheduled task named “mlt_Archive” is created for persistence. ‘This article mentions the creation of a scheduled task called “mlt_Archive”’
[T1140] Deobfuscate/Decode Files or Information – The loader deobfuscates dreamland.m4a and uses it to inject shellcode. ‘deobfuscate and use “dreamland.m4a” in order to inject a shellcode into memory’

Indicators of Compromise

[SHA256] context – 08 CITACION DEMANDA.zip, ab731fe108986f53117e09272f12701a77e013d8
[SHA256] context – 08 CITACION DEMANDA.exe, 22afcdc180400c4d2b9e5a6db2b8a26bff54dd38
[SHA256] context – cutcherry.vcf, 931c51eed1716a0dddeb005899efd16a79a22782
[SHA256] context – dreamland.m4a, a31edd70cb923893c736b633806e294a66ffbd41
[SHA256] context – Register.dll, 8fb5da182dea64c842953bf72fc573a74adaa155
[SHA256] context – rtl120.bpl, e6ccaf016fc45edcdadeb40da64c207ddb33859f
[SHA256] context – vcl120.bpl, 1e387320704c8b94c41df2409e79c67a030018c4

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print