Scaly Wolf’s new loader: the right tool for the wrong job

MITRE Techniques

• [T1566.001] Phishing – Brief description: phishing emails under guise of a federal agency with a password-protected archive attachment. Quote: ‘The threat actors are distributing phishing emails under the guise of a federal agency. The emails have a legitimate document as an attachment. It aims to lull the recipient’s vigilance and prompt them to open the other file, a password-protected archive.’
• [T1105] Ingress Tool Transfer – Brief description: downloading OpenSSH via a GitHub link using serveo.net and launching it. Quote: ‘This option enables OpenSSH to be downloaded via the link to the GitHub repository (…) and launched with the following command:’
• [T1053.005] Scheduled Task – Brief description: adding a task to the Windows Task Scheduler and self-running from a new location. Quote: ‘schtasks /create /tn “Explorer” /sc MINUTE /tr “C:Users[user]AppDataLocalRobloxSecurityExplorer.EXE” /rl HIGH… START “” “C:Users[user]AppDataLocalRobloxSecurityExplorer.EXE”‘
• [T1055] Process Injection – Brief description: allocating memory in explorer.exe and injecting the payload, then executing shell code. Quote: ‘the loader allocates a memory region within this process with execution rights and copies the decrypted malicious payload into it. Finally, it modifies the process context to execute the injected shell code.’
• [T1047] Windows Management Instrumentation – Brief description: anti-VM checks using WMI to fetch device model/manufacturer. Quote: ‘The following WMI requests are used: SELECT * FROM Win32_ComputerSystem – Model; SELECT * FROM Win32_ComputerSystem – Manufacturer’
• [T1082] System Information Discovery – Brief description: dxgi.dll is used to retrieve GPU IDs to determine if the system matches Nvidia/AMD/Intel. Quote: ‘The dxgi.dll library enables the loader to retrieve the IDs of the manufacturers of the graphics cards used in the system. Where such IDs do not match those of Nvidia, AMD, or Intel, the malicious file would stop running.’
• [T1027] Obfuscated/Compressed Files and Information – Brief description: Donut is used to run in memory and has compression/encryption of payload. Quote: ‘The payload is the shell code obtained with the help of the open-source Donut utility, which allows executable files (…) to run in the memory. The utility has some additional features such as compression and encryption of malicious payload.’
• [T1497.003] Virtualization/Sandbox Evasion – Brief description: anti-virtualization checks described to detect non-physical environments. Quote: ‘anti-virtualization checks: retrieves the device model and manufacturer and compares them with the program lines’