Keypoints
- Operation active since early 2022 targeting an East Asia Technology/IT Services company, with Logutil used as the primary backdoor.
- Initial/sustained execution relied on DLL search-order hijacking involving the Microsoft WMI Provider Subsystem and %SYSTEM32%wbemncobjapi.dll loader.
- Persistence and execution leveraged legitimate mechanisms such as scheduled tasks and system services to stay stealthy.
- Credential harvesting targeted many applications and stores (MobaXterm, mRemoteNG, KeePass, Chrome passwords/history, etc.).
- Attackers attempted credential and data extraction via LSASS memory dumps and by accessing MySQL server process memory for data exfiltration.
- Lateral propagation capabilities included placing malicious components into tsclientc subfolders when RDP tsclient shares were enabled; AsyncRAT and Cobalt Strike were also observed in the toolset.
MITRE Techniques
- [T1574.001] DLL Search Order Hijacking – Used to execute malicious components through the WMI provider loader (‘DLL search order Hijacking involving the Microsoft WMI Provider Subsystem DCOM and %SYSTEM32%wbemncobjapi.dll loader’).
- [T1053] Scheduled Task/Job – Abused legitimate scheduled tasks to run malicious binaries and maintain persistence (‘abusing legitimate scheduled tasks and services’).
- [T1543.003] Create or Modify System Process: Windows Service – Attackers modified/used services as part of persistence and execution (‘abusing legitimate scheduled tasks and services’).
- [T1555] Credentials from Password Stores – Collected credential material from password managers and applications such as KeePass, MobaXterm, and mRemoteNG (‘capable of collecting credential material from various applications such as MobaXterm, mRemoteNG, KeePass, Chrome passwords and history, and many others’).
- [T1003.001] OS Credential Dumping: LSASS Memory – Attempted to dump LSASS memory to extract credentials (‘attempts of dumping LSASS memory’).
- [T1021.001] Remote Services: RDP – Prepared to infect other systems via RDP by placing malicious components in tsclient shares (‘Capabilities to infect other systems in case a RDP session was established … by placing malicious components to the tsclientc subfolders if tsclient share was enabled’).
- [T1071] Application Layer Protocol (C2) – Used Cobalt Strike/AsyncRAT infrastructure for command-and-control and tool delivery (‘Based on used infrastructure, it was established that CobaltStrike is another tool from the attackers’ arsenal’).
Indicators of Compromise
- [File/Path] loader and persistence locations – %SYSTEM32%wbemncobjapi.dll (WMI loader target), tsclientc subfolders used for lateral placement.
- [Malware/Tool names] observed in operation – Logutil backdoor, AsyncRAT, Cobalt Strike (used for access, C2, and later-stage activity).
- [Applications targeted for credentials] credential sources – MobaXterm, mRemoteNG, KeePass, Chrome passwords and history (harvested for credential theft).
- [Processes/Memory targets] memory access attempts – LSASS memory dumps and MySQL server process memory accessed for data extraction.
The attackers initially gained a foothold and executed payloads by abusing trusted Windows components and search-order behavior: they used DLL search-order hijacking targeting the Microsoft WMI Provider Subsystem loader (%SYSTEM32%wbemncobjapi.dll) to load malicious modules. Execution and persistence were maintained through legitimate mechanisms — scheduled tasks and system services were abused to run attacker binaries without raising immediate suspicion.
Once code execution was established, the operation deployed Logutil as the primary backdoor and also leveraged AsyncRAT and Cobalt Strike infrastructure for remote control and tool delivery. The attackers collected credentials and sensitive data by harvesting from a wide set of applications and password stores (MobaXterm, mRemoteNG, KeePass, Chrome), and attempted direct memory access to extract database and OS credentials — including MySQL server process memory access and LSASS memory dumping.
For lateral movement and escalation, the actors prepared payload placement in RDP-connected client shares (tsclientc subfolders) to infect systems accessed via RDP sessions, enabling spread from already-compromised hosts. The combined use of legitimate system components, living-off-the-land execution, credential harvesting, memory extraction, and C2 frameworks enabled a stealthy, long-running espionage and data-exfiltration campaign.