Zscaler ThreatLabz analyzes APT41’s DodgeBox loader and its MoonWalk backdoor, detailing the loader’s decryption, environment checks, and DLL-based delivery. Part 1 focuses on DodgeBox’s characteristics and evasion techniques, with Part 2 covering MoonWalk and its Google Drive C2. #DodgeBox #MoonWalk #APT41
Keypoints
- APT41, a China-based threat actor, has introduced DodgeBox, an upgraded variant of StealthVector, as part of its tool arsenal.
- DodgeBox employs multiple evasive techniques, including call stack spoofing, DLL sideloading, DLL hollowing, and various execution guardrails to avoid detection.
- Delivery involves sideloading into signed executables (SandboxieWUAU.exe and an AhnLab binary), loading a malicious sbiedll.dll, and decrypting a second-stage payload from sbiedll.dat (MoonWalk) that uses Google Drive for C2.
- Configuration and payload are encrypted and decrypted with AES-CFB; integrity is protected via hard-coded MD5 checks, and API resolution uses salted FNV1a hashing for dynamic resolution.
- Environmental and system checks (arguments, MAC, computer name, user name) and CFG bypass techniques are used to constrain execution to targets and disable defenses where possible.
- Payload loading combines DLL hollowing with reflective loading, including host-DLL prep, NX removal, and mapping via NT APIs, with a fallback reflective loader if needed.
MITRE Techniques
- [T1574.002] Hijack Execution Flow – DLL Side-Loading – DodgeBox samples are designed to be executed by DLL sideloading. [‘DodgeBox samples are designed to be executed by DLL sideloading.’]
- [T1480] Execution Guardrails – DodgeBox terminates execution if specific arguments are not provided. [‘DodgeBox starts by verifying that the process was launched with the correct arguments.’]
- [T1480.001] Execution Guardrails: Environmental Keying – DodgeBox keys the encrypted payload to a machine, using a machine’s GUID. [‘DodgeBox keys the encrypted payload to a machine, using the GUID.’]
- [T1027] Obfuscated Files or Information – DodgeBox uses AES-CFB to encrypt strings, configurations, and bundled payloads. [‘DodgeBox uses AES-CFB to encrypt strings, configurations, and bundled payloads.’]
- [T1027.007] Obfuscated Files or Information: Dynamic API Resolution – DodgeBox uses salted FNV1a hashes to dynamically resolve APIs. [‘DodgeBox uses salted FNV1a hashes to dynamically resolve APIs.’]
- [T1620] Reflective Code Loading – DodgeBox reflectively loads payload DLLs, utilizing DLL hollowing. [‘DodgeBox reflectively loads the payload using a DLL hollowing technique.’]
- [T1106] Native API – DodgeBox uses Windows Native APIs like NtCreateFile, LdrLoadDll, and NtAllocateVirtualMemory, as opposed to their Win32 counterparts. [‘DodgeBox uses Windows Native APIs like NtCreateFile, LdrLoadDll, and NtAllocateVirtualMemory.’]
- [T1562.001] Impair Defenses: Disable or Modify Tools – DodgeBox utilizes stack spoofing when calling APIs to evade security software monitoring. [‘DodgeBox utilizes stack spoofing when calling APIs to evade security software monitoring.’]
Indicators of Compromise
- [MD5] DodgeBox-related hashes – 0d068b6d0523f069d1ada59c12891c4a, b3067f382d70705d4c8f6977a7d7bee4, and other hashes (see table in article)
- [Filename] Sample artifacts – Music.zip, taskhost.exe, Sbiedll.dll, Sbiedll.dat, Atstrust.dll, Atstrust.dat, AppRouted.dll, AppRouteing.dll (and other DodgeBox-related files)
Read more: https://www.zscaler.com/blogs/security-research/dodgebox-deep-dive-updated-arsenal-apt41-part-1