Sophos has reportedly uncovered attackers using DLL side-loading to execute malicious code and install backdoors in the networks of targeted organisations in the Asian country of Myanmar.
A report published today, “A New APT uses DLL Side-loads to Killl Someone,” outlines the discovery of four different DLL side-loading scenarios, which all share the same program database path and some of which carry a file named “KilllSomeOne.”
The targeting of these attacks—against non-governmental organisations and other organisations in Myanmar—and other characteristics of the malware suggests that the attackers involved may be a Chinese APT group, Sophos claims.
The attackers have implemented a spin on the side-loading methods often associated with Chinese threat actors and used in the well known PlugX backdoor.
The malware also looks for a running process name starting with AAM, probably because earlier PlugX side-loading scenarios used the file name “AAM Updates.exe.”
According to Sophos, if the malware finds this file, it kills and deletes it. This suggests the KilllSomeOne backdoor was designed to remove earlier PlugX infections, either because the original attackers wanted to push out new code or because the attacks were implemented by a different group leveraging existing infrastructure.
The KilllSomeOne malware code includes several strings of plain text. The samples Sophos analysed were written in poor English and with clear political messages. According to Sophos, it is unusual to find these types of political messages in what appears to be a nation-state threat, and it could mean less professional cybercriminals are involved or the attackers inserted the messages to misdirect security researchers.
Gabor Szappanos, threat research director, Sophos said: “The group responsible for the ‘KilllSomeOne’ attacks doesn’t fall clearly at either end of the spectrum. For instance, the perpetrators opted for fairly simple implementations in coding—especially in encrypting the payload—and the messages hidden in their samples are what you’d expect from script kiddies. On the other hand, the targeting and deployment is that of a serious APT group. It’s not clear from our analysis whether this group will eventually return to more traditional implants like PlugX or keep going with its own code.”
Continue the Cyber Security conversation face to face at GITEX 2020. Register here.
