Threat Research

Family Tree: DLL-Sideloading Cases May Be Related

Securonix

Five DLL sideloading cases targeting government organizations in Asia show how threat actors reuse well-known techniques and progressively add complexity, including a USB worm in one case. A common loader shellcode and repeated infrastructure overlap across cases suggest related tooling and tactics, with several instances of signed loaders and multiple sideloading stages.
#MustangPanda #LuminousMoth #ShadowPad #DLLSideloading #USBWorm

Keypoints

  • The article analyzes five DLL sideloading cases tied to government targets in Asia, with activity dating back to 2013 and continuing through 2020.
  • A USB worm (Case 4) propagates by copying files from USB drives and can include components from Mustang Panda and LuminousMoth, suggesting complex, multi-actor payload interactions.
  • Loader shellcode is a common thread across all cases, decrypting plugins and writing zero bytes into the decrypted loader, indicating a shared delivery mechanism.
  • The threat actors reuse legitimate applications (e.g., Cisco Webex, VLC) as lures/loaders to sideload malicious DLLs.
  • Case 1 centers on a stager connecting to 91.245.253.52 and loading a Metasploit/Cobalt Strike-like shell over HTTP.
  • Case 2–5 show multi-stage sideloading chains, often involving encrypted implants and RAR-extracted components, and in some cases a UAC bypass and service installation for persistence.
  • Indicators of compromise and broader context are planned for release on Sophos and will be shared on their GitHub repository.

MITRE Techniques

  • [T1574.002] DLL sideloading – The attacker plants and invokes a legitimate application that loads the malicious DLL. This allows the attacker to take advantage of the trust the system already has in the application. “As above, except the attacker plants and invokes a legitimate application that loads the malicious DLL.”
  • [T1574.001] DLL preloading – An attacker plants a malicious DLL in a directory that will be searched by a pre-existing application before the location of a legitimate library (based on the default Windows search order).
  • [T1055] Process Injection – The loader JAs are injected into processes (e.g., “loader.ja is injected into the winver.exe process (process hollowing; we’ll have more to say about this technique in Scenario 3)”).
  • [T1548.002] Abuse Elevation: Bypass User Account Control – The implant employs a UAC bypass using the CMSTPLUA COM interface, injecting and elevating privileges.
  • [T1543.003] Create or Modify System Process: Windows Service – The malware installs and uses a Windows service (e.g., “creates a service named gupdaten”).
  • [T1071.001] Web Protocols – The malware communicates with attacker infrastructure over HTTP/HTTPS (e.g., “reverse HTTP shell, connecting to the attacker-controlled server” and specific URLs).
  • [T1134] Access Token Manipulation – The analysis notes potential token-related activity (e.g., “grabs its process token”), indicating token manipulation during infection.
  • [T1027] Obfuscated/Compressed Files and Information – The implants and configs are described as encrypted or obfuscated (e.g., “encrypted implants” and “encrypted config in time.sig”).

Indicators of Compromise

  • [IP] 91.245.253.52 – Case 1 stager/C2 phone-home endpoint: “the malicious payload … connected to the attacker-controlled server: 91.245.253.52:6060/rKVI”
  • [IP] 5.252.178.162 – Case 2/3 distribution server used to deliver RAR archives (e.g., c.rar, walk.rar)
  • [IP] 103.253.72.116 – Case 3/5 distribution server used to host RAR archives (e.g., akjsdnfkjsnjfekse/walk.rar)
  • [Domain] machinetimeer.com – Config data referenced in time.sig (e.g., “www.machinetimeer.com”)
  • [Domain] www.machinetimeer.com – Embedded in configuration blocks for C2/config data
  • [Hash] 7b301cea1feff0add8de512a93ed7bc1b8330caf0c3a6f1585f9887b88db8efb – Case 1 loader DLL and related components
  • [Hash] 86f7661039a0855be8d6d1cb55391f398932e80c – googleupdate.exe (clean VLC EXE) in Case 2 distribution
  • [Hash] 73048579a2903918bbcc601cd562e8f93459ad2a562c6537006067b59735b7b6 – log.dll (ShadowPad-related family case)

Read more: https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint