Another day, another reason to worry about. A new APT group has been discovered tweaking DLL side-loading attacks. 

What’s up?

A report by Sophos suggests that a new threat group has risen that launches DLL side-loading attacks. Although there have been several such attacks before, the payload used by this group has never been seen before. The threat actors used various plaintext strings written in poor English with politically inspired messages. All the samples follow the same Program Database (PDB) path and many of the folders were titled “KilllSomeOne”. The group has been targeting non-governmental organizations and other organizations in Myanmar and are believed to be a Chinese APT group.

Shell scenario

  • The same threat actor used 4 different side-loading scenarios.
  • The payload in two of them carried a simple shell.
  • In the remaining two, a complicated set of malware has been witnessed.

Split personality?

  • Cybercriminals fall under two categories - the highly skilled, organized groups who often create their toolsets, and the run of the mill individuals who often use off-the-shelf hacking tools to conduct their attacks.
  • However, this group has given mixed signals to researchers.
  • While the targeting and deployment prove that the actions look to have been caused by a serious APT actor, the coding, hidden messages, and weak cryptography point to script kiddies. 

The bottom line

Further evolution cannot be tracked as of now as it is unclear if the group will leverage conventional implants in the future or stick to their own code. Moreover, the reason behind targeting organizations in Myanmar is yet unknown; however, the most plausible motive might be the desire to acquire passwords and easy cash, as indicated by researchers. Henceforth, stay safe and follow cyber hygiene.

Cyware Publisher