Thai government officials have been targeted by a new company using a technique called Sideloading DLL put a previously undocumented backdoor duplicated Yokai.
“Based on the nature of the lures, the threat actors targeted Thai officials,” Nikhil Hegde, a senior engineer at Netskope’s security team, told The Hacker News. “The Yokai backdoor itself is unlimited and can be used against any potential target.”
The the starting point of the attack chain is a RAR archive containing two Windows shortcut files with titles in Thai that translate to “United States Department of Justice.pdf” and “United States Government Requests International Cooperation in Criminal Matters.docx”.
The exact original vector used to deliver the payload is currently unknown, although Hegde suggested it was likely phishing due to the lures used and the fact that RAR files were used as malicious attachments in phishing emails.
Running the shortcut files causes the spoofed PDF and Microsoft Word documents to open, respectively, and silently drops the malicious executable in the background. Both bait files are related Varavit Mektrakarna Thai national wanted in the US in connection with the disappearance of a Mexican immigrant. Mektrakarn was charged with murder in 2003 and is said to have fled to Thailand.
The executable, in turn, is designed to remove three more files: a legitimate binary file associated with iTop Data Recovery (“IdrInit.exe”), a malicious DLL (“ProductStatistics3.dll”), and a DATA file containing information. sent by a server controlled by the attacker. In the next step, “IdrInit.exe” is used to sideload DLLwhich eventually led to the deployment of the backdoor.
Yokai is responsible for setting up security on the host and connecting to the command and control server (C2) to receive command codes that allow cmd.exe to be created and shell commands to be executed on the host.
This development comes after Zscaler ThreatLabz discovered a malware campaign using compiled Node.js executables for Windows to distribute cryptocurrency miners and information stealers such as XMRig, Lammaand Thief of phemedrone. The rogue apps were codenamed NodeLoader.
Attacks use malicious links embedded in YouTube video descriptions that lead users to MediaFire or fake websites that invite them to download a ZIP archive disguised as video game hacks. The ultimate goal of the attacks is to extract and run the NodeLoader, which in turn loads the PowerShell script responsible for running the last-stage malware.
“NodeLoader uses a module called sudo-prompt, a public tool on GitHub and npm, to elevate privileges”, Zscaler said. “Threat actors use social engineering and anti-evasion techniques to deliver NodeLoader undetected.”
This also followed a surge in phishing attacks on the distribution of commercially available products Remcos RATwith threat actors transforming infection chains using Visual Basic Script (VBS) scripts and Office Open XML documents as launchpads to initiate a multi-step process.
In one set of attacks, executing a VBS file leads to a highly obfuscated PowerShell script that loads intermediate payloads, ultimately leading to the injection of the Remcos RAT into RegAsm.exe, a legitimate Microsoft .NET executable.
Another option involves using an Office Open XML document to download an RTF file that is receptive to CVE-2017-11882a known remote code execution flaw in the Microsoft Equation Editor to retrieve a VBS file that then proceeds to fetch PowerShell to inject the Remcos payload into RegAsm.exe memory.
It should be noted that both methods avoid writing files to disk and load them into valid processes in a deliberate attempt to avoid detection by security products.
“As this remote access Trojan continues to target consumers through phishing emails and malicious attachments, the need for proactive cybersecurity measures has never been more important,” McAfee Labs researchers said.
