Operators Used Four Different DLL Side-Loading Scenarios To Install And Execute New Malware After Removing A Resident PlugX Backdoor. Targets And Tools Suggest Adversaries Are A Chinese APT Group

OXFORD, U.K.  — 11月 4, 2020 —

Sophos, a global leader in next-generation cybersecurity, has uncovered attackers using DLL side-loading to execute malicious code and install backdoors in the networks of targeted organizations. A report published today, “A New APT uses DLL Side-loads to Killl Someone,” outlines the discovery of four different DLL side-loading scenarios, which all share the same program database path and some of which carry a file named “KilllSomeOne.” The targeting of these attacks—against non-governmental organizations and other organizations in Myanmar—and other characteristics of the malware suggest that the attackers involved may be a Chinese APT group.

The attackers have implemented a spin on the side-loading methods often associated with Chinese threat actors and used in the well known PlugX backdoor. Two of the scenarios deliver a payload carrying a simple shell, while the other two carry a more complex set of malware that can install and execute the payload and collect data on the target. Combinations from both sets were used in the same attacks.

The malware also looks for a running process name starting with AAM, probably because earlier PlugX side-loading scenarios used the file name “AAM Updates.exe.” If the malware finds this file, it kills and deletes it. This suggests the KilllSomeOne backdoor was designed to remove earlier PlugX infections, either because the original attackers wanted to push out new code or because the attacks were implemented by a different group leveraging existing infrastructure.

The KilllSomeOne malware code includes several strings of plain text. The samples Sophos analyzed were written in poor English and with clear political messages. According to Sophos, it is unusual to find these types of political messages in what appears to be a nation-state threat, and it could mean less professional cybercriminals are involved or the attackers inserted the messages to misdirect security researchers.

“This is an intriguing new discovery and a good reminder that the operators behind advanced targeted attacks rarely are a homogeneous pool or even see themselves as a single entity. Individual contributors come with very different skill sets and capabilities. Some of them are highly adept, while others are little more than your average cybercriminal,” said Gabor Szappanos, threat research director, Sophos. “The group responsible for the ‘KilllSomeOne’ attacks doesn’t fall clearly at either end of the spectrum. For instance, the perpetrators opted for fairly simple implementations in coding—especially in encrypting the payload—and the messages hidden in their samples are what you’d expect from script kiddies. On the other hand, the targeting and deployment is that of a serious APT group. It’s not clear from our analysis whether this group will eventually return to more traditional implants like PlugX or keep going with its own code.”

Further information on KilllSomeOne can be found on SophosLabs Uncut where Sophos experts regularly publish their latest research and breakthrough findings. Threat researchers and IT managers can follow SophosLabs Uncut in real time on Twitter at @SophosLabs.

Human-led threat hunting and response help to identify and mitigate new and unknown threats. At Sophos,  these experts are available through Sophos Managed Threat Response and Sophos Rapid Response services.

ソフォスについて

ソフォスは、MDR (Managed Detection and Response) サービス、インシデント対応サービス、およびエンドポイント、ネットワーク、メール、クラウド セキュリティ テクノロジーの幅広いポートフォリオなど、サイバー攻撃を阻止する高度なセキュリティソリューションを提供する世界的なリーダーであり、革新的な企業です。ソフォスは、最大手のサイバーセキュリティ専門プロバイダーの 1つであり、全世界で 60万以上の組織と 1億人以上のユーザーを、アクティブな攻撃者、ランサムウェア、フィッシング、マルウェアなどから保護しています。ソフォスのサービスと製品は、Sophos Central 管理コンソールを介して接続され、企業のクロスドメイン脅威インテリジェンスユニットである Sophos X-Ops を利用しています。Sophos X-Ops のインテリジェンスは、Sophos ACE (Adaptive Cybersecurity Ecosystem) 全体を最適化します。このエコシステムには、お客様、パートナー、開発者、その他のサイバーセキュリティおよび情報技術ベンダーが利用できる豊富なオープン API セットを活用する一元化されたデータレイクが含まれます。ソフォスは、フルマネージド型のソリューションを必要とする組織に、Cyber​​security-as-a-Service を提供します。お客様は、ソフォスのセキュリティ運用プラットフォームを使用してサイバーセキュリティを直接管理することも、脅威ハンティングや修復などソフォスのサービスを使用して社内チームを補完するハイブリッドアプローチを採用することもできます。ソフォスは、リセラーパートナー、MSP (マネージド サービス プロバイダ) を通じて販売しています。ソフォス本社は英国オックスフォードにあります。詳細については www.sophos.com をご覧ください。