How an APT technique turns to be a public Red Team Project

09/07/2023

Introduction

DLL Sideloading (T1574.002) stands as a remarkably effective stratagem employed by adversaries to execute their own malicious code, while clandestinely leveraging the implicit trust placed in legitimate applications. This report dissects the multifaceted nuances of DLL Sideloading, delving into its mechanics, the prevalence of victim applications, and its reverberating impact on the cybersecurity landscape.

The Art of Trust Manipulation

At the core of DLL Sideloading lies the manipulation of trust. Adversaries artfully exploit the trust that users confer upon genuine applications to covertly introduce their malevolent payloads. This technique operates on the premise that antimalware engines are less likely to flag such activities as malicious, given the seemingly benign context of the attack. By infiltrating the trusted environment of legitimate software, attackers can operate incognito and evade the vigilant gaze of cybersecurity defenses.

Evidentiary Trail of Exploitation

During 2023, Yoroi’s Malware ZLab researchers have thoroughly documented a surge in attacks orchestrated through DLL Sideloading. The 3CX Supply Chain attack is a glaring example of this technique in action, where a malicious 'ffmpeg.dll' played a pivotal role. Such instances bring to the forefront the vulnerability of a plethora of legitimate software applications that inadvertently serve as conduits for adversarial actions. It is imperative to take stock of the substantial array of exploitable legitimate software, prompting proactive measures such as tracking and monitoring to thwart potential attacks.

Emergence of Repackaged Threats: APT29's Chameleon Strategy

An intriguing illustration of this landscape emerges with the emergence of a repackaged campaign mirroring the tactics of APT29. Palo Alto Networks' Unit42 scrutinized a campaign bearing uncanny similarities, revealing a reengineering of techniques. A significant alteration observed in this iteration is the transition from BruteRatel to CobaltStrike, indicative of the dynamic nature of adversary tactics. The inclusion of the PDB string “OneDriveUpdaterSideloading,” connected to a public GitHub repository, points toward the meticulous orchestration behind these campaigns. Invariably, the unveiling of novel techniques leads to rapid exploitation by both malevolent cybercriminals and proactive adversary simulations.

Invariably, the unveiling of novel techniques leads to rapid exploitation by both malevolent cybercriminals and proactive adversary simulations. This case serves as an eloquent testament to the transformative journey from legitimate research to a tool wielded by threat actors. This chasm between the virtuous intentions of research and the perverted objectives of cybercriminals underscores the dire need for preemptive strategies and adaptive defenses.

Charting the Uncharted: A Deep Dive into Threat Landscape Dynamics

Considering these events, understanding the Tactics, Techniques, and Procedures (TTPs) that underpin DLL Sideloading has assumed paramount importance. The symbiotic relationship between exploitable legitimate software and insidious techniques necessitates a granular exploration. This investigation seeks to unravel the intricate interplay between threat actors, vulnerable software, and defensive countermeasures.

The realm of DLL Sideloading presents a formidable challenge, demanding a harmonious interplay of offensive and defensive strategies. As demonstrated by the 3CX Supply Chain attack and the evolving APT29 campaigns, the art of DLL Sideloading showcases the artful manipulation of trust. With the twin specters of exploitation and emulation looming large, the cybersecurity landscape necessitates constant evolution and proactive measures. This report embarks on a journey to decipher the complex choreography between adversary and defender, shedding light on the enigmatic realm of DLL Sideloading and its profound ramifications.

Technical analysis

The genesis of this research can be traced back to the identification of a dubious sample across multiple platforms. Upon closer examination, a noteworthy revelation emerged – the characteristics and methodologies exhibited by this sample bore a striking resemblance to those elucidated in a research report published by Palo Alto Networks a year prior. This intriguing alignment prompted us to pursue an in-depth investigation, delving into the intricate intricacies of this suspicious sample and its potential implications within the broader cybersecurity landscape.

Our initial encounter with this enigmatic sample stirred a sense of curiosity and urgency. As we delved deeper into its attributes, we were captivated by the echoes of a previously documented research endeavor conducted by Palo Alto Networks. This congruence in techniques piqued our interest, prompting a meticulous analysis aimed at unearthing potential connections, nuances, and trends that could shed light on the evolving threat landscape.

As a consequence, we embarked on a comprehensive journey to decipher the underlying mechanics of this suspicious sample. The contextual thread woven between these two distinct instances – separated by time yet united by technique – sparked a cascade of inquiries. What propelled the persistence of these techniques across different time frames? How have threat actors evolved and adapted over the course of a year? What implications might these shared methodologies hold for the future of cybersecurity?

Intriguingly, the resonance between the two instances extended beyond superficial similarities. As we dissected the layers of code and behavior, we began to unravel a narrative that transcended the temporal gap. The eerie familiarity of tactics, techniques, and procedures (TTPs) underscored the tenacity of certain adversarial approaches, shedding light on the enduring effectiveness of certain tactics.

To augment our exploration, we embarked on a comparative analysis, mapping the nuances of the suspicious sample against the backdrop of earlier research findings. This comparison not only deepened our understanding of the techniques at play but also illuminated potential evolutionary trajectories.

As we traverse the landscape of this research endeavor, we unveil a tapestry interwoven with shared strategies, tactics, and modus operandi. Our journey goes beyond a mere replication of findings; it embraces a quest to discern the underlying motivations, the shifting dynamics, and the relentless pursuit of an evolving adversary.

In the pages that follow, we present a comprehensive exploration that not only expounds upon the resonating techniques but also delves into the implications and proactive measures that can be derived from this synthesis. The symbiotic relationship between past and present insights forms the bedrock of our inquiry, an inquiry driven by the pursuit of knowledge and the fortification of defenses in an ever-evolving digital landscape.

This new sample has the following static information:

Hash	c8ca2199aabae9af5c59e658d11a41f76af4576204c23bf5762825171c56e5e8
Threat	CobaltStrike
Brief Description	Campaign using DLL Sideloading emulating APT29 techiques

Within the confines of this investigation, a file of significant interest emerged – an ISO archive that harbored a myriad of revelations. Upon a closer examination of its contents, a compelling correspondence was uncovered. The files encapsulated within this ISO archive resonated with those highlighted in the campaign dossier curated by Palo Alto Networks. This intriguing synchronicity, while not immediately evident, yielded insights of paramount significance.

The surface layer of this enigmatic ISO archive unveiled a conspicuous file – an LNK file that seemingly occupied the spotlight. Yet, beneath this visible veneer lay a concealed realm, a covert enclave of files that remained shrouded from immediate view. This intricate play of visibility and secrecy evoked a sense of intrigue, prompting us to embark on a journey of exploration to decipher the cryptic essence encoded within this repository.

Intricacies and intricacies danced in tandem as we navigated the landscape of this ISO archive. This tapestry of concealed files, each bearing a narrative waiting to be unveiled, spoke to the meticulous orchestration that lay at the heart of this endeavor. It beckoned us to delve deeper, to unearth the intricacies that lay beneath the surface and shed light on the grander scheme at play.

As we embarked on the process of unveiling these hidden entities, a symphony of questions resonated within our minds. What purpose did these concealed files serve? How did they intertwine with the overarching narrative of the campaign documented by Palo Alto Networks? Were they simply pawns in a larger chess game, or did they hold the key to deciphering the tactics, techniques, and procedures that defined this intricate web of activity?

This revelation marked a pivotal juncture in our exploration, underscoring the complexity and multifaceted nature of the threat landscape. As the layers of this ISO archive unfurled before us, we recognized the need to meticulously scrutinize each fragment, each file, and each association. In doing so, we aimed not only to decipher the tactics employed but also to glean insights into the strategic underpinnings that guided the orchestration of this campaign.

In the subsequent phases of this investigation, we delve deeper into the labyrinthine corridors of this ISO archive, mapping the interconnections, deciphering the concealed narratives, and ultimately illuminating the overarching design that binds these files together. With each layer unveiled, our understanding of the campaign's intricacies grows, propelling us toward a more comprehensive comprehension of the tactics at play and the implications they hold within the evolving landscape of cybersecurity.

As we traverse this uncharted terrain, the ISO archive stands as a testament to the artful concealment that underpins contemporary cyber operations. It serves as a stark reminder that within the digital realm, what meets the eye is often a fraction of the story, and it is only through unwavering diligence and meticulous scrutiny that the full narrative can be uncovered. In the pages that follow, we invite you to join us on this journey of revelation, as we endeavor to unlock the secrets that lie within the concealed confines of this enigmatic ISO archive.

Nestled within this package lies a comprehensive toolkit, meticulously curated to facilitate the art of sideloading within the seemingly innocuous façade of Microsoft's legitimate OneDrive application. This toolkit, an ensemble of elements strategically chosen to orchestrate this subversive dance, beckons us to explore the shadows that underlie this seemingly benign software.

At the epicenter of this intricate ensemble rests the "version.dll" library, a seemingly inconspicuous repository housing a nefarious payload. This malicious code, concealed within the very fabric of the library, remains poised for execution. The key to its activation lies in the sideloading mechanism facilitated by the "OneDriveStandaloneUpdater.exe" file—a seemingly innocuous entity that serves as a covert conduit for the surreptitious introduction of the malicious "version.dll."

In the wake of this revelation, a decision of profound significance was made. A comparative analysis was embarked upon, aimed at scrutinizing the very core of the "version.dll" library's malevolent essence.

This journey of exploration led us to an enthralling revelation—an intricate tapestry of difference that lay between the original sample attributed to APT29 and the repackaged variant under our scrutiny. This visual depiction, akin to a comparative map charting the evolution of malevolence, unfurled before us, illustrating the subtle but significant alterations that had transpired.

The juxtaposition of these versions painted a nuanced portrait—one that echoed the evolution of threat actors, their insidious innovation, and their relentless pursuit of evading detection. The side-by-side comparison unveiled a dance of modification, where the adversary's toolset underwent refinement, adaptation, and transformation, underscoring the fluid and dynamic nature of their strategies.

This revelation not only enriched our understanding of the adversarial mindset but also unveiled a thread that intertwined disparate instances. The synergy between past and present, original and reimagined, bore witness to the meticulous orchestration that drives the evolution of cyber threats.

*Figure 2: Comparison between the original sample and the repackage*

The orchestrated sequence of events unfolds with a remarkable symmetry, presenting an execution flow that mirrors its predecessor in meticulous detail. This intricate choreography culminates in a seamless continuum where the LNK file, with its understated yet pivotal role, acts as the conductor of this malevolent orchestra.

At the crux of this orchestrated symphony lies the moment of ignition—a seemingly innocent activation of "OneDriveStandaloneUpdater.exe." However, beneath this innocuous veneer lies a subversive intent that sets in motion a cascade of actions. Like a masterful magician, this executable skillfully undertakes the process of sideloading the formidable "version.dll," a vessel housing the malicious code that underpins the adversary's covert ambitions.

Parallel to this intricate dance of deception, the authentic "vresion.dll"—its legitimate counterpart—resides with unassuming grace. This nuanced mimicry serves as a shroud of authenticity, a ruse designed to ensure the execution proceeds without raising the alarm. As "OneDriveStandaloneUpdater.exe" navigates the labyrinthine network of exported functions, a cunning ruse is enacted.

In a mesmerizing twist of ingenuity, the calls initiated by "OneDriveStandaloneUpdater.exe" are deftly redirected, a seamless proxying of intentions. The facade of "vresion.dll" acts as the intermediary, its presence imperceptibly guiding the execution towards the intended destination. This orchestrated misdirection ensures that the adversary's intent remains concealed, even as the wheels of execution turn.

This intricate ballet of deception showcases a level of sophistication that is emblematic of an evolving threat landscape. It underscores the adversary's astute understanding of software intricacies and their resourceful manipulation of trusted processes. With every seamlessly proxied call, the adversary gains a foothold in the digital ecosystem, inching closer to their nefarious objectives.

As we delve further into the depths of this orchestrated symphony, we unravel not just a mere sequence of events, but a narrative that highlights the convergence of innovation and malevolence. In the subsequent sections, we venture into the heart of this intricate mechanism, peeling back the layers to expose the techniques, tactics, and procedures that underlie this deceptive dance. Through this exploration, we aim not only to dissect the mechanics of deception but also to arm defenders with the insights needed to fortify their defenses and thwart the relentless advances of cyber adversaries.

*Figure 3: A dynamic and a static view of the exports proxied to the legit DLL*

Subsequently, the examined sample meticulously undertakes a comprehensive process enumeration, diligently seeking out the presence of the "RuntimeBroker.exe" entity. This intricate pursuit serves as a pivotal moment in the unfolding narrative, as it sets the stage for a series of meticulously orchestrated maneuvers that reveal the adversary's ingenuity.

With the tenacity of a digital detective, the sample delves deeper, culminating in the decryption of a concealed shellcode nestled within the cryptic confines of the "OneDrive.Update" file. This transformation is achieved through an intricate dance of algorithms, with the shellcode being XORed with a hardcoded string—an ingenious technique that serves as a key to unlock the malevolent potential encoded within.

The narrative advances with a symphony of injected intent, as the decrypted shellcode takes center stage. The sample deftly leverages a sequence of operations—NtCreateSection, NtMapViewOfSection, and NtCreateThreadEx—to breathe life into the extracted shellcode. This strategic orchestration is not just a mere act of execution; it is a carefully choreographed ballet of subversion, as the shellcode establishes its presence within the digital realm.

Within the cryptic constructs of the decrypted shellcode, a revelation of paramount significance emerges—an ephemeral connection to a Command and Control (C2) entity, the unseen puppeteer orchestrating this elaborate play. The address (193.37.254.]27) looms as a beacon of communication, a conduit through which the adversary marshals their machinations. This connectivity, laden with implications, forms the crux of a malleable C2 profile—an attribute that underscores the adversary's adaptability and cunning.

Figure 4 presents the decrypted shellcode in all its intricate glory. This visual representation, akin to an artist's canvas, showcases the intricate brushstrokes of code that define the essence of the adversary's intent. Every line, every instruction, and every nuance is unveiled, inviting us to decipher the underlying motivations and tactical maneuvers that form the core of this cyber narrative.

*Figure 4: Decryption of the shellcode using XOR*

Following the successful injection into the confines of the RuntimeBroker.exe process, the shellcode embarks on a sophisticated journey that showcases its dexterity and adaptability within the digital landscape. This pivotal juncture marks the commencement of a series of meticulously orchestrated actions, each layer revealing the depth of the adversary's technical acumen.

With the precision of a master conductor, the shellcode deftly employs stackstrings as its instruments of choice. This strategic utilization serves as a testament to the shellcode's flexibility and resourcefulness, allowing it to dynamically load a carefully curated selection of Libraries and Application Programming Interfaces (APIs). This dynamic loading process emerges as a cornerstone of the shellcode's operational strategy—a technique that empowers it to interact with its environment, ensuring a seamless and covert execution of its intent.

In essence, the use of stackstrings forms a harmonious bridge between the shellcode and the targeted Libraries and APIs. This nuanced interaction not only underscores the sophistication of the adversary's design but also serves as a testament to their intricate understanding of software dynamics. Through this strategic dance, the shellcode lays the foundation for a symphony of actions, orchestrating an ensemble of interactions that operate beneath the surface, concealed from prying eyes.

As the shellcode navigates through the labyrinthine network of stackstrings, its quest to load the desired Libraries and APIs unfolds with an air of precision. Each stackstring serves as a note in a grand musical composition, contributing to the creation of a melody that resonates within the digital realm. This symphonic interplay, while intricate, carries with it the potential for far-reaching consequences—enabling the shellcode to unlock new avenues of interaction, transcend boundaries, and execute its intentions with finesse.

*Figure 5: Dyamic Loading the API "winintet" dll as a reverse string in hex format*

In pursuit of the vital references to the shared libraries crucial for its intricate dance, the shellcode embarks on a meticulous journey that takes it through the intricate terrain of the Process Environment Block (PEB). This expedition serves as a testament to the shellcode's strategic prowess, highlighting its ability to navigate the digital landscape with precision and purpose.

Within the depths of the PEB, a hidden universe of Dynamic Link Libraries (DLLs) awaits discovery. The shellcode's quest is not mere chance; it is a calculated pursuit driven by the imperative to locate the elusive key that will unlock its intended actions. Through the meticulous enumeration of DLLs, the shellcode diligently scans the virtual horizon, seeking out the beacon that will guide its next move.

Amid this intricate dance, the shellcode's gaze alights upon the coveted treasure—an invocation of the LoadLibraryExA function. This function, an essential tool within the shellcode's arsenal, possesses the unique ability to summon the potent capabilities housed within the wininet.dll library. Like a skilled locksmith with a master key, the LoadLibraryExA function unfurls the gateway to the desired library, ushering in a cascade of possibilities.

The invocation of LoadLibraryExA transcends mere technicality; it is an incantation that brings forth the powers of wininet.dll into the digital realm. This library, renowned for its network-related functionalities, assumes a pivotal role in the shellcode's unfolding narrative. With its capabilities now at the shellcode's disposal, a new realm of interaction and manipulation is unveiled, offering the potential to traverse the digital landscape with an air of invincibility.

In the subsequent stages of our exploration, we venture into the intricacies of the shellcode's interaction with LoadLibraryExA and wininet.dll. Through a meticulous analysis, we aim to not only unearth the technical mechanics at play but also to grasp the strategic implications that stem from this orchestrated sequence. By peering into the heart of this interaction, we equip ourselves with the insights needed to anticipate and counter the adversary's movements, forging a path towards a fortified digital defense.

*Figure 6: Loading wininet.dll through the navigation of the PEB*

Regrettably, as of the time of compiling this report, the Command and Control (C2) channel has been rendered dormant—an elusive echo in the vast expanse of the digital realm. This poignant pause underscores the fluidity of the cyber landscape, where adversaries and defenders engage in a perpetual dance, their movements often concealed within the labyrinthine corridors of the virtual domain.

Yet, the narrative doesn't conclude with this temporary stillness. As we delve deeper into the layers of this orchestrated sequence, a multifaceted symphony of actions unfolds, each note resonating with purpose and intent. The shellcode, akin to an adept orchestrator, harnesses the power of VirtualAlloc and InternetReadFile—two indispensable tools within its expansive toolkit.

With the mastery of a virtuoso, the shellcode leverages VirtualAlloc to carve out a dedicated enclave within the virtual memory landscape. This strategic maneuver serves as a prelude to a meticulously choreographed act— the retrieval and execution of additional malicious code. The narrative unfurls as the shellcode deftly invokes InternetReadFile, an instrument that enables it to draw upon external resources, thereby extending its influence beyond the confines of its current abode.

However, the intrigue doesn't halt there. Our investigative journey takes us beyond the confines of the shellcode's intricate maneuvers and towards the heart of the malicious infrastructure—a realm pulsating with clandestine activities and orchestrated chaos. As we sift through the digital footprints left by this enigmatic presence, a revelation of startling significance emerges.

The numerical beacon, 193.37.254.]27, emerges as a focal point within this sprawling landscape—a nexus that intertwines with the operations of TA542, colloquially known as the Emotet gang. This affiliation, drawn from a series of painstaking connections, hints at a complex interplay between threat actors and their tactical inspirations.

The chronicle of TA542 is marked by its undulating cadence—a rhythmic ebb and flow that occasionally dips into periods of dormancy. As we dissect the temporal tapestry, we discern a pattern, a rhythm that occasionally wanes, akin to the stillness that envelops the C2 channel. It is within these moments of dormancy that an opportunity arises, a canvas upon which related members of the gang may seek to replicate the maneuvers of the APT29 adversary.

This hypothesis takes form as an intricate web of possibilities—a daring attempt to emulate the Tactics, Techniques, and Procedures (TTPs) of APT29, not merely as an act of replication, but as a calculated endeavor to glean insights. The objective is clear—observing the reactions of unsuspecting victims when confronted with a distinct approach to threats, thus enhancing their understanding of the psychological underpinnings that govern the response to cyber intrusions.

*Figure 7: VirusTotal Graph of an Emotet collection*

Starting from this information, it is possible to do other addition hunting activities. Were able to find other samples having the same characteristics:

c8ca2199aabae9af5c59e658d11a41f76af4576204c23bf5762825171c56e5e8
bcc7c41209afcf67858b3ef80f0afa1eabf2e4faadcaa23bacc9aa5d57b9d836
a855012a9e198837eae04295de56d28e9258da1e933c56805b39b1f8d0d03c56
4240201a9d957a01676ab7165d112d03c7dbdba7b34778407e7b73344b3fd158
2d866ccf2b24e3b922abb3d3980c2ed752d86b6c017bc2bf7a1c209aa9464643
ffd5114ffb3a2f66757cecb2fb0079cceaa42a4b42ded566e76b7d58b4effac5
5e352c8f55ed9be1142b09e13df7b3efac7ea9e6173b6792d9a5c44dedc3a4ee
17494a7687c8e57be6fcd486bc34aaa120105729196474ccffd078d8aa256f87
dda686d6fda52c6ab3c084b7024cfc68dba60ae2143a1095659b795f84cf2329
664b8fbd825db53ccfc5712f7cd54c71bf53f0791b1bd42af8517729653ae7ae
6f08ce39072bdacf4a98578ca6b508b68b2c78ed2a378c73a1c87595f9d0c591
f62e0ec08b15f9a4f3178c77ad540bd7369d1341472fdcbc88aecc0ed29c0387

Emulating the Threat Actor

In the wake of Unit42's comprehensive analysis, which unveiled the campaign orchestrated by APT29, a new chapter in the story unfolded—a chapter characterized by meticulous emulation of the very techniques that had been leveraged by the adversary. This emulation, a strategic endeavor undertaken by a dedicated researcher, stands as a testament to the intricate dance between cyber adversaries and defenders, each move and countermove serving to shape the ever-evolving battlefield.

An inherent complexity underscores the process of emulation, one that demands both technical finesse and an astute understanding of the adversary's playbook. This replication of tactics, techniques, and procedures (TTPs) is far from a mere academic exercise; it serves as a powerful tool that can be harnessed by both malevolent threat actors and astute defenders.

Within this multifaceted arena, the concept of emulation dances delicately on a precipice—a double-edged sword that bears implications for both sides of the digital divide. From the perspective of threat actors, the newfound accessibility to these emulated techniques introduces a paradigm shift. Even those with limited technical prowess, often colloquially referred to as "script kiddies," now possess the potential to wield sophisticated tactics that were once reserved for the realm of the adept.

This democratization of tactics can cast a wider net of danger, potentially exposing an expanded pool of victims to the intricate web woven by these emulated techniques. The barrier to entry, once formidable, has been lowered, enabling a broader spectrum of adversaries to deploy sophisticated attacks with potentially devastating consequences.

Yet, the story takes an intriguing twist—a twist that underscores the potential for defenders to wield emulation as a potent instrument of resilience. Here, the concept of adversary simulation takes center stage, transforming emulation into a strategic asset for the blue team. By replicating the maneuvers of real-world adversaries, defenders gain an invaluable opportunity to test and fortify their defenses against a constantly evolving threat landscape.

The power of adversary simulation lies in its ability to bridge the chasm between theoretical knowledge and practical application. Through emulation, red team companies, armed with insights into the adversary's modus operandi, can execute actions that closely mirror those of actual threat actors. This exercise serves to illuminate blind spots, identify vulnerabilities, and fine-tune defensive strategies, thereby creating a fortified digital bastion that can withstand the relentless advances of cyber adversaries.

*Figure 8: GitHub description of the project*

The project contains two versions, the DLL based on the original payload and an EXE version for debugging purposes.

*Figure 9: Comparison of the DLL version (on the left) and EXE version (on the right)*

We managed to compile the project, in order to verify its actual functionality. After that, we compared our compiled DLL against the malicious one, they are identical except for the character “s” added to the XOR Key.

*Figure 10: Comparison of the DLL compiled by us against the malicious one executing CobaltStrike*

Conclusion

Embedded within the pages of the Yoroi Annual Report for the year 2022, a prescient declaration emerged—a prophecy that foretold the emergence of a year characterized by the proliferation of what can be termed "exotic" filetypes. This prophecy found its roots in the shifting dynamics of the cyber landscape, where a notable alteration in the default settings of Microsoft Office documents had profound ripple effects.

The disabling, by default, of macros within Microsoft Office documents heralded a paradigm shift in the tactics wielded by threat actors. Faced with this newfound barrier, a swift adaptation became imperative, propelling threat actors to explore uncharted territory. Thus, an era of innovation dawned, as malicious forces turned their attention towards the development of a diverse array of nefarious conduits—malicious PDFs, XLL files, JavaScript scripts, and, as so eloquently elucidated within this blogpost, archives.

However, the mechanics of this transformation unveiled a fascinating conundrum—a reliance on augmented user interaction. No longer could malware propagate through passive exploitation; instead, a strategic coaxing of the human element was necessitated. The user, an unwitting participant, was beckoned to unseal the encrypted archives, to peer into the contained documents, to click where they were bidden. Thus, the machinations of the adversary now transcended the realm of code, permeating the realm of psychology and persuasion.

Within this context, the attackers found themselves presented with a new challenge, one that required a heightened mastery of the art of social engineering. The arsenal of tactics expanded, encompassing an array of ploys and ruses aimed at luring victims into a web of deceit. The attackers, akin to master puppeteers, endeavored to orchestrate scenarios that would lead their victims down the treacherous path towards compromise.

Yet, the tapestry of this narrative isn't woven solely by the hands of malevolent forces. Defenders, ever vigilant in their quest to safeguard the digital realm, rise to meet this challenge head-on. A symphony of strategic maneuvers takes center stage, where security awareness campaigns and the deployment of cutting-edge technologies converge to form a formidable defense against the onslaught of evolving malware vectors.

In this symphony, a recurring motif emerges—a gradual escalation in the complexity and sophistication of attack chains. From the perspective of the adversary, this evolution demands the honing of social engineering skills to the pinnacle of mastery. The defender, on the other hand, grapples with a different facet of this intricate dance—a need to equip the digital terrain with the right tools and insights capable of unraveling the intricate threads of the adversary's machinations.

The realization dawns that the replication of the Tactics, Techniques, and Procedures (TTPs) employed by even the most sophisticated threat actors can be accomplished with a disarming ease. However, this revelation, far from a moment of despair, stands as a catalyst for renewed fortification. It serves as a clarion call to bolster the foundations of security posture, to strengthen the bulwarks that guard the digital gateways of organizations.

In the final measures of this symphony, the spotlight turns towards ethical hacking activities—an arena where these replicated TTPs transform into powerful instruments for resilience testing. The ethical hacker, armed with insights into the adversary's playbook, navigates the landscape with a dual purpose—unveiling vulnerabilities and weaknesses, while simultaneously fostering a culture of proactive defense.

Indicators of Compromise

Hash
- 17494a7687c8e57be6fcd486bc34aaa120105729196474ccffd078d8aa256f87
- 2d866ccf2b24e3b922abb3d3980c2ed752d86b6c017bc2bf7a1c209aa9464643
- 4240201a9d957a01676ab7165d112d03c7dbdba7b34778407e7b73344b3fd158
- 5e352c8f55ed9be1142b09e13df7b3efac7ea9e6173b6792d9a5c44dedc3a4ee
- 664b8fbd825db53ccfc5712f7cd54c71bf53f0791b1bd42af8517729653ae7ae
- 6f08ce39072bdacf4a98578ca6b508b68b2c78ed2a378c73a1c87595f9d0c591
- a855012a9e198837eae04295de56d28e9258da1e933c56805b39b1f8d0d03c56
- bcc7c41209afcf67858b3ef80f0afa1eabf2e4faadcaa23bacc9aa5d57b9d836
- c8ca2199aabae9af5c59e658d11a41f76af4576204c23bf5762825171c56e5e8
- dda686d6fda52c6ab3c084b7024cfc68dba60ae2143a1095659b795f84cf2329
- f62e0ec08b15f9a4f3178c77ad540bd7369d1341472fdcbc88aecc0ed29c0387
- ffd5114ffb3a2f66757cecb2fb0079cceaa42a4b42ded566e76b7d58b4effac5
C2
- 193.37.254.]27

Yara Rules

rule onedriveupdate_exe_repackage
{
/*
4240201a9d957a01676ab7165d112d03c7dbdba7b34778407e7b73344b3fd158
*/
meta:
author = "Yoroi Malware ZLab"
description = "Rule for OneDriveUpdate EXE Repackage"
last_updated = "2023-07-27"
tlp = "WHITE"
category = "informational"
strings:
$1 = {4? 83 f8 ?? 4? 8d 52 01 4? 8b ?? 4? 0f 45 c8 4? ff c0 0f b6 84 ?? ?? ?? ?? ?? 30 4? ?? 4? 8d 41 01 4? 81 f8 ?? ?? ?? ??}
/*
.text:0000000140001660 48 83 F8 1C                             cmp     rax, 1Ch
.text:0000000140001664 48 8D 52 01                             lea     rdx, [rdx+1]
.text:0000000140001668 48 8B CE                                mov     rcx, rsi
.text:000000014000166B 48 0F 45 C8                             cmovnz  rcx, rax
.text:000000014000166F 41 FF C0                                inc     r8d
.text:0000000140001672 0F B6 84 0D 18 01 00 00                 movzx   eax, [rbp+rcx+480h+var_368]
.text:000000014000167A 30 42 FF                                xor     [rdx-1], al
.text:000000014000167D 48 8D 41 01                             lea     rax, [rcx+1]
.text:0000000140001681 41 81 F8 28 03 00 00                    cmp     r8d, 328h
*/
condition:
$1
}
rule onedriveupdate_dll_repackage 
{
/*
6f08ce39072bdacf4a98578ca6b508b68b2c78ed2a378c73a1c87595f9d0c591
a855012a9e198837eae04295de56d28e9258da1e933c56805b39b1f8d0d03c56
bcc7c41209afcf67858b3ef80f0afa1eabf2e4faadcaa23bacc9aa5d57b9d836
c8ca2199aabae9af5c59e658d11a41f76af4576204c23bf5762825171c56e5e8
f62e0ec08b15f9a4f3178c77ad540bd7369d1341472fdcbc88aecc0ed29c0387
*/
meta:
author = "Yoroi Malware ZLab"
description = "Rule for OneDriveUpdate DLL Repackage"
last_updated = "2023-07-27"
tlp = "WHITE"
category = "informational"
strings: 
$1 = {4? 83 f8 ?? 4? 8d 5? ?? 4? 8b cf 4? 0f 45 c8 4? ff c1 0f b6 84 0d 18 01 00 00 4? 8d 41 01 30 42 ff 4? 63 c1 4? 3b c7}
/*
.text:00000001800012E0 49 83 F8 1C                             cmp     r8, 1Ch
.text:00000001800012E4 48 8D 52 01                             lea     rdx, [rdx+1]
.text:00000001800012E8 49 8B CF                                mov     rcx, r15
.text:00000001800012EB 49 0F 45 C8                             cmovnz  rcx, r8
.text:00000001800012EF 41 FF C1                                inc     r9d
.text:00000001800012F2 0F B6 84 0D 18 01 00 00                 movzx   eax, [rbp+rcx+150h+var_38]
.text:00000001800012FA 4C 8D 41 01                             lea     r8, [rcx+1]
.text:00000001800012FE 30 42 FF                                xor     [rdx-1], al
.text:0000000180001301 49 63 C1                                movsxd  rax, r9d
.text:0000000180001304 48 3B C7                                cmp     rax, rdi
*/
condition: 
$1 
}

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
pll_language	1 year	The pll _language cookie is used by Polylang to remember the language selected by the user when returning to the website, and also to get the language information when not available in another way.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_gat_gtag_UA_209986505_1	1 minute	Set by Google to distinguish users.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.