Next, it creates a scheduled task that runs the Rust executable by passing it as an argument to rhc.exe. rhc.exe (hidec) Executable that accepts an executable as an argument and executes it with hidden console.Once the executable starts running, it side-loads the malicious DLL that decodes and drops three files to the %temp% folder: The above image shows an example of Garmin’s ElevatedInstaller.exe being abused to side-load the malicious DLL. Garmin’s ElevatedInstaller.exe executable abused to side-load malicious DLL In this method, the victim downloads a ZIP folder that purportedly contains an application or movie etc. dat file with the decoys)Īs mentioned, the License file is the next stage Inno-Setup installer that drops the PHP information stealer. dld Download the License (base64 encoded with string replacements).Instead, they’re downloaded from the C2 using the following pattern: dat and License files are not included in the zipped folder. In some samples we noticed cases where the. In the main thread the SFX/ZIP file is executed/decompressed, and the victim is shown the decoy HTML files. If it doesn’t, it downloads the file from its command and control (C2) server, then decodes and executes it. It does this by creating a thread that checks whether the License file exists. The malicious DLL has two main goals: displaying the decoy to the victim and executing the Inno-Setup installer. Western Digital's WDSyncService.exe executable abused to side-load a malicious DLL The Inno-Setup installer to be executed (base64 encoded with some string modifications) A ZIP or self extracting archive (SFX) containing legitimate HTML webpages used as a decoy A benign, legitimate executable abused to side-load the malicious DLL The zipped folder usually holds the following file patterns: In this method, the victim downloads a zipped folder with different luring themes such as world cup live streaming, free applications, and more that abuse legitimate applications vulnerable to DLL side-loading attack. There are many other variations of these methods with minor modifications. Note: these delivery methods are representative samples. In the next sections we elaborate on various delivery techniques and luring themes the attackers use. All methods eventually drop an Inno-Setup installer which, at the next stage, drops and executes the PHP information stealer. We’ve seen the payload delivered in diverse ways including DLL side-loading, Rust and Python executables, and many others. The scripts are encoded using different techniques, which makes their analysis and detection harder. The PHP scripts are responsible for stealing and exfiltrating information. This legitimate application drops the Inno-Setup installer that decompresses to a whole PHP application containing malicious scripts. The loader is usually a legitimate C# application susceptible to a side-loading vulnerability that comes with a hidden malicious dynamic link library (DLL) file that’s eventually side-loaded to the application. The infection chain is divided into two parts: the loader, and the Inno-Setup installer that drops the final payload. The attack begins by luring a victim to click on a URL from a fake Facebook profile or advertisement to download a ZIP file th at pretends to have an application, game, movie, etc. We show how the attacker advances the delivery chain and includes Rust, Python, PHP, and PHP advanced encoders to successfully evade security vendors over the past five months. (This attribution was later discovered to be incorrect.) In this blog we explore the various methods used to distribute SYS01 stealer. The campaign was first seen in May 2022 and was initially attributed to the Ducktail operation by Zscaler. The attack is designed to steal sensitive information, including login data, cookies, and Facebook ad and business account information. to lure victims into downloading a malicious file. The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. We have seen SYS01 stealer attacking critical government infrastructure employees, manufacturing companies, and other industries. Starting in November 2022, Morphisec has been tracking an advanced info stealer we have named “SYS01 stealer.” SYS01 stealer uses similar lures and loading techniques to another information stealer recently dubbed S1deload by the Bitdefender group, but the actual payload (stealer) is different.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |