Threat actors abuse DLL sideloading to run malicious code through legitimate Microsoft applications (Teams and OneDrive), dropping and loading a malicious DLL that communicates with a remote C2 and leverages Cobalt Strike Beacon for post‑exploitation. The campaign targets an Italian services company, using macro-enabled documents to drop the payload, enumerate application paths, and perform C2 communications over cloudfront domains. #Qakbot #CobaltStrike #Teams #OneDrive #DLLSideLoading
Keypoints
- DLL sideloading is used to infect users by having legitimate applications load malicious DLLs that spoof legitimate ones.
- A dropped DLL (iphlpapi.dll) is loaded via sideloading by Teams/OneDrive, with a mutex to avoid multiple instances.
- Macros in the malicious document auto-execute via AutoOpen(), enabling the payload without user interaction beyond enabling macros.
- The macro code discovers the path to OneDrive and Teams, using a base64-decoded path to drop the DLL.
- The dropped DLL establishes C2 communications to a CloudFront URL, enabling a Cobalt Strike Beacon for post‑exploitation activities including lateral movement.
- Beacons provide capabilities such as command execution, keylogging, file transfer, and porting/movement across the network.
- IOCs include specific malicious document and DLL hashes, C2 URLs, and a download URL referenced by the actors’ infrastructure.
MITRE Techniques
- [T1574.001] DLL Side-Loading – “the dropped malicious DLL file … is sideloaded” and uses a mutex to avoid a second instance. Quote: “the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded, as shown below. sideloaded DLL malware, which creates a mutex with the name “MSTeams.Synchronization.Primitive.2.0” to avoid running another instance on the same machine.”
- [T1059.005] Visual Basic – “AutoOpen() function” runs the macro automatically in the background. Quote: “the malicious document runs the macro code automatically in the background using the AutoOpen() function.”
- [T1083] File and Directory Discovery – “process() identifies the path of the OneDrive and Teams applications.” Quote: “The malware then calls the function process(), which identifies the path of the OneDrive and Teams applications.”
- [T1132] Data Encoding – “base64 decoded path” used to identify application paths. Quote: “the base64 decoded path of the OneDrive and Teams applications.”
- [T1021] Remote Services – “Cobalt-Strike Beacon … for post‑exploitation and lateral movement.” Quote: “The Beacon provides various functionalities to TAs, including command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning, and lateral movement.”
- [T1071.001] Web Protocols – “C2 URL … cloudfront.net/communications” used for command and control. Quote: “the dropped malicious DLL file … communicates to the C&C server using the below URL: d2xiq5m2a8wmm4.cloudfront[.]net/communications.”
Indicators of Compromise
- [MD5] Malicious Document – 697ac31e2336c340e46ae8a777f51cdb;
Context: MD5 hashes associated with the malicious doc used to deliver the payload. - [SHA-1] Malicious Document – 91bd5585383685b82af8e801ce8f43586a797f49;
Context: SHA-1 of the malicious doc. - [SHA-256] Malicious Document – 92e7395073c6588e1d8172148525144189c3d92ed052a163b8f7fad231e7864c;
Context: SHA-256 of the malicious doc. - [MD5] Sideloaded DLL – 6e1e6194dd00f88638d03db3f74bb48a;
Context: MD5 for the dropped DLL prior to renaming. - [SHA-1] Sideloaded DLL – d4a3050246d30a26671d05b90ffa17de39d5e842;
Context: SHA-1 for the dropped DLL. - [SHA-256] Sideloaded DLL – ee56e43ed64e90d41ea22435baf89e97e9238d8e670fc7ed3a2971b41ce9ffaf;
Context: SHA-256 for the dropped DLL. - [URL] Cobalt-Strike C2 URL – d2xiq5m2a8wmm4.cloudfront.net/communications;
Context: C2 endpoint used by the beacon. - [URL] Download URL (doc) – hxxps://laureati-prelios.azureedge[.]net/forms/Modulo_Testimone_Universitario_v3.doc;
Context: Download URL referenced in indicators.