Two sentences summarizing the article in English. APT-C-24 (Rattlesnake) unveiled a notably redesigned attack flow centered on FileSyncShell.dll, employing DLL side-loading via explorer.exe to achieve persistence and payload loading. The operation features two-stage lure documents, macro-driven execution, server-config retrieval from embedded images, and data decryption plus reflection loading to deploy modules.
#Rattlesnake #FileSyncShell
#Rattlesnake #FileSyncShell
Keypoints
- APT-C-24 (Rattlesnake) executed a novel attack framework around FileSyncShell.dll, with language-version testing issues affecting run-time in Chinese environments.
- The core persistence/execute mechanism hinges on DLL side-loading via explorer.exe to start FileSyncShell.dll and run the attack flow.
- A two-stage lure document approach delivers the payload: stage 1 uses a macro document to release and trigger stage 2.
- Stage 1 macro saves the document as an HTML page in %Temp% and saves embedded content to a .files folder, which contains images and configuration data.
- Stage 2 (rec2.doc) mirrors the flow but cleans the editdata.mso data in the support folder, then downloads and decrypts additional payloads to local paths for execution.
- The DLL family (FileSyncShell64.dll / FileSyncShell.dll / FileSyncShell.CU.dll) is dropped from resources, decrypted, and loaded via reflection; the code collects system information (e.g., hardware, OS) and uses XOR with the first 32 bytes for decryption.
- The campaign shows signs of a broader persistence/remote-control objective and links to the actor’s historical obfuscation and resource-loading patterns, with notable language-version differences affecting Chinese environments.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The attackers deliver lure documents containing macros to trigger code execution. ‘the organization uses macro code to complete subsequent code execution’
- [T1059.005] Visual Basic – The macro code relies on VBA, including SaveAs to save the document as Html and extract embedded content. ‘SaveAs function saves the document as Html to the path …’
- [T1204.002] User Execution: Malicious File – The document is opened and macros run to release and execute the second-stage document. ‘through the first-stage lure document to release and execute the second-stage document’
- [T1574.001] Hijack Execution Flow: DLL Side-Loading – Replacing and loading FileSyncShell.dll via explorer.exe to perform the attack flow. ‘through DLL side-loading via explorer.exe to start FileSyncShell.dll’
- [T1547.001] Boot or Logon Autostart: Registry Run Keys – Persistence is achieved by creating registry entries. ‘to complete persistence’
- [T1082] System Information Discovery – Classic.dll collects physical address, CPU count, OS version, and architecture. ‘physical address, CPU count, OS version, architecture’
- [T1027] Obfuscated/Compressed Files and Information – Data is decrypted with a first-32-byte XOR and loaded via reflection. ‘the first 32 bytes are XOR-ed to decrypt the subsequent data’
Indicators of Compromise
- [MD5] Hashes observed for payloads – 0cc6f7eddb1cd93d05ce9941a1d66dc6, 013513303527ab53d4b95be0ef084a9a, and 6 more hashes
- [URL] C2/command-and-control and data-delivery endpoints – https://mailcantonfair.cssc.info/ChinaForeignTradeCentre-6e7d38eb, https://mailcantonfair.cssc.info/3117/1/25399/2/1/0/0/a7UrSGszlkeU4pxbesS7rZXwwwor1RvyPWSG8vNA/files-0333f997/0
- [URL] Additional server/resource links used for payload retrieval – https://mailcantonfair.cssc.info/3117/1/25399/3/3/0/1865608801/a7UrSGszlkeU4pxbesS7rZXwwwor1RvyPWSG8vNA/files-152e08e6/1/cuuimd
- [File] Dropped/loaded DLLs and related artifacts – FileSyncShell64.dll, FileSyncShell.dll, and related backup variants mentioned in the flow