Operators Used Four Different DLL Side-Loading Scenarios To Install And Execute New Malware After Removing A Resident PlugX Backdoor. Targets And Tools Suggest Adversaries Are A Chinese APT Group

OXFORD, U.K.  — November 4, 2020 —

Sophos, a global leader in next-generation cybersecurity, has uncovered attackers using DLL side-loading to execute malicious code and install backdoors in the networks of targeted organizations. A report published today, “A New APT uses DLL Side-loads to Killl Someone,” outlines the discovery of four different DLL side-loading scenarios, which all share the same program database path and some of which carry a file named “KilllSomeOne.” The targeting of these attacks—against non-governmental organizations and other organizations in Myanmar—and other characteristics of the malware suggest that the attackers involved may be a Chinese APT group.

The attackers have implemented a spin on the side-loading methods often associated with Chinese threat actors and used in the well known PlugX backdoor. Two of the scenarios deliver a payload carrying a simple shell, while the other two carry a more complex set of malware that can install and execute the payload and collect data on the target. Combinations from both sets were used in the same attacks.

The malware also looks for a running process name starting with AAM, probably because earlier PlugX side-loading scenarios used the file name “AAM Updates.exe.” If the malware finds this file, it kills and deletes it. This suggests the KilllSomeOne backdoor was designed to remove earlier PlugX infections, either because the original attackers wanted to push out new code or because the attacks were implemented by a different group leveraging existing infrastructure.

The KilllSomeOne malware code includes several strings of plain text. The samples Sophos analyzed were written in poor English and with clear political messages. According to Sophos, it is unusual to find these types of political messages in what appears to be a nation-state threat, and it could mean less professional cybercriminals are involved or the attackers inserted the messages to misdirect security researchers.

“This is an intriguing new discovery and a good reminder that the operators behind advanced targeted attacks rarely are a homogeneous pool or even see themselves as a single entity. Individual contributors come with very different skill sets and capabilities. Some of them are highly adept, while others are little more than your average cybercriminal,” said Gabor Szappanos, threat research director, Sophos. “The group responsible for the ‘KilllSomeOne’ attacks doesn’t fall clearly at either end of the spectrum. For instance, the perpetrators opted for fairly simple implementations in coding—especially in encrypting the payload—and the messages hidden in their samples are what you’d expect from script kiddies. On the other hand, the targeting and deployment is that of a serious APT group. It’s not clear from our analysis whether this group will eventually return to more traditional implants like PlugX or keep going with its own code.”

Further information on KilllSomeOne can be found on SophosLabs Uncut where Sophos experts regularly publish their latest research and breakthrough findings. Threat researchers and IT managers can follow SophosLabs Uncut in real time on Twitter at @SophosLabs.

Human-led threat hunting and response help to identify and mitigate new and unknown threats. At Sophos,  these experts are available through Sophos Managed Threat Response and Sophos Rapid Response services.

Über Sophos

Sophos ist ein weltweit führender Anbieter von modernsten Sicherheitslösungen zur Abwehr von Cyberangriffen, einschließlich Managed Detection and Response (MDR) und Incident Response Services sowie einem breiten Portfolio an Endpoint-, Netzwerk-, E-Mail- und Cloud-Security-Technologien. Als einer der größten ausschließlich auf Cybersicherheit spezialisierten Anbieter schützt Sophos weltweit mehr als 600.000 Unternehmen und Organisationen und mehr als 100 Mio. Benutzer vor aktiven Angreifern, Ransomware, Phishing, Malware und mehr. Die Services und Produkte von Sophos sind über die Management-Konsole Sophos Central miteinander verbunden und werden vom bereichsübergreifenden Threat-Intelligence-Expertenteam Sophos X-Ops unterstützt. Die Sophos X-Ops Intelligence optimiert das gesamte Sophos Adaptive Cybersecurity Ecosystem. Dieses Ökosystem umfasst einen zentralen Data Lake, der eine Vielzahl offener APIs nutzt, die Kunden, Partnern, Entwicklern und anderen Cybersecurity- und Informationstechnologie-Anbietern zur Verfügung stehen. Sophos bietet Cybersecurity-as-a-Service für Unternehmen und Organisationen an, die vollständig verwaltete Sicherheitslösungen benötigen. Kunden können ihre Cybersicherheit auch direkt mit der Sophos Security-Operations-Plattform verwalten oder einen hybriden Ansatz nutzen, bei dem sie ihre internen Teams mit Sophos-Services ergänzen, einschließlich Threat Hunting und Maßnahmen zur Beseitigung von Bedrohungen. Sophos vertreibt seine Produkte und Services über ein weltweites Netzwerk von Vertriebspartnern und Managed Service Providern (MSPs). Sophos hat seinen Hauptsitz im britischen Oxford. Weitere Informationen finden Sie unter www.sophos.de.