Keypoints
- LESLIELOADER is a Golang-written loader observed by Kroll that assists initial infection and payload deployment.
- The loader uses two files: Ntmssvc.dll (loader) and RemovableStorage.dll (payload container) placed in C:WindowsSystem32.
- RemovableStorage.dll contains Base64-encoded data that is AES-192 encrypted using the key “LeslieCheungKwok” with the last 32 bytes serving as the IV.
- The loader performs multiple Base64 decode stages and reconstructs shellcode, calculating a final payload size (0x83DA50) before injection.
- Process injection is performed by creating notepad.exe suspended, overwriting its entry point, and jumping to the injected SPARKRAT payload.
- The loader has been observed delivering other payloads and Cobalt Strike configurations; a YARA rule and multiple sample hashes are available for detection.
MITRE Techniques
- [T1055] Process Injection – The loader decrypts and injects the final payload into a legitimate process by creating notepad.exe suspended, overwriting its entry point, and transferring execution (‘Once the notepad.exe entry point has been overwritten, the memory address of our SPARKRAT payload is loaded into RAX and jumped to, beginning execution of the malware.’)
- [T1027] Obfuscated Files or Information – Multiple layers of Base64 encoding and AES-192 encryption are used to hide the payload data (‘RemovableStorage.dll … has undergone both Base64 encoding and AES 192-bit encryption.’)
- [T1071.001] Application Layer Protocol: Web Protocols – The loader includes an initial HTTP(S) beacon attempt to a C2 IP address before payload execution (‘Ntmssvc.dll initially attempts to beacon out to 209.141.50[.]215:443’)
Indicators of Compromise
- [IP Address] Beacon/C2 attempt – 209.141.50[.]215:443 (observed initial beacon attempt)
- [Filenames] Loader and payload container – Ntmssvc.dll, RemovableStorage.dll (Ntmssvc.dll contains loader logic; RemovableStorage.dll holds Base64+AES encrypted payload)
- [SHA-256 hashes] Confirmed sample hashes – ec45da0ca70a9b71652cc95d51665f7ad568294bd5652c395a119bccd613e9b4 (Ntmssvc.dll), b8cab11421eb4731c16cf3c34ca2b3f2a758d5e112f877b90a18b3e146c8add0 (RemovableStorage.dll), and 24 more hashes from the additional samples list
- [MD5/SHA1] Additional file identifiers – Ntmssvc.dll MD5 a8164d4d4c7c0669f01f0cec11db5c23, RemovableStorage.dll MD5 d8ed87bccf4ff55b98ee6fd229427a45
The loader operates in two primary stages. First, Ntmssvc.dll (loader) is executed with a /runcode flag and reads RemovableStorage.dll from C:WindowsSystem32. RemovableStorage.dll is not a valid PE but a data container that has been Base64-encoded and AES-192 encrypted. The loader optionally attempts an HTTP(S) beacon to 209.141.50[.]215:443 but can bypass that and jump directly to a storage-decoding routine that Base64-decodes the final 32 bytes (used as IV) and loads the string “LeslieCheungKwok” into a register to serve as the AES key; it then Base64-decodes the remainder of RemovableStorage.dll and AES decrypts it, producing another layer of Base64-encoded data.
In the second stage, the loader performs additional Base64 decoding to reveal shellcode fragments, which are reconstructed into a final payload. Debugging traces show the loader dynamically calculating the payload size (0x83DA50) and preparing memory for injection by allocating matching-sized memory in a target process. The loader launches notepad.exe suspended (artifacts also reference calc.exe and cmd.exe), acquires a pointer to the process, and overwrites the entry point of notepad.exe; the SPARKRAT payload’s memory address is loaded into a register and execution is transferred to that address, allowing the injected payload to run under notepad.exe’s context.
Detection and triage notes: samples include Cobalt Strike configurations and other payloads, so the loader is not limited to SPARKRAT. Relevant sample hashes, file metadata (MD5/SHA1/SHA-256), and a YARA rule checking for the inline “LeslieCheungKwok” string are provided to hunt for this activity; for example, the YARA rule signature includes the byte sequence for “LeslieCheungKwok” and a true-positive SHA-256 match for Ntmssvc.dll. Read more: https://www.kroll.com/en/insights/publications/cyber/leslieloader-undocumented-loader-observed