New KilllSomeOne APT group leverages DLL side-loading

by chebbi abir

A new Chinese APT group, tracked as KilllSomeOne, appeared in the threat landscape targeting corporate organizations in Myanmar.

A new Chinese APT group, tracked as KilllSomeOne, was spotted by researchers at Sophos. The advanced cyber-espionage group is targeting corporate organizations in Myanmar with DLL side-loading attacks.

The name KilllSomeOne comes from the phrase ‘KilllSomeOne’ used in the DLL side-loading attacks, the group is using poorly-written English messages relating to political subjects. 

Dynamic-link library (DLL) side-loading takes advantage of how Microsoft Windows applications handle DLL files. In such attacks, malware places a spoofed malicious DLL file in a Windows’ WinSxS directory so that the operating system loads it instead of the legitimate file.

The technique was already employed by other Chinese APT groups since 2013, later it was also adopted by other cybercrime gangs in attacks in the wild.

According to Sophos researchers, the KilllSomeOne APT group combines four separate types of side-loading attack in its campaigns.

“We have identified four different side-loading scenarios that were used by the same threat actor. Two of these delivered a payload carrying a simple shell, while the other two carried a more complex set of malware. Combinations from both of these sets were used in the same attacks.” reads the analysis published by Sophos.

Each attack type is connected by the same program database (PDB) path, and some of the samples recorded and connected to the cybercriminals contain the folder name ‘KilllSomeOne.’

In a first attack scenario, hackers leverage a Microsoft antivirus component to load mpsvc.dll that acts as a loader for Groza_1.dat. The attackers use a simple XOR encryption algorithm with the string “Hapenexx is very bad” as a key.


In the second attack scenario, hackers employ a sample that leverages AUG.exe, a loader called dismcore.dll. The APT group uses the same payload and key of the previous scenario, the only difference is that both the file name and decryption key are encrypted with a one-byte XOR algorithm.

“In both of these cases, the payload is stored in the file named Groza_1.dat. The content of that file is a PE loader shellcode, which decrypts the final payload, loads into memory and executes it. The first layer of the loader code contains unused string: AmericanUSA.” continues the analysis. 

The other two observed types of KillSomeOne DLL side-loading deliver an installer for the simple shell, they use two different payload files called adobe.dat and x32bridge.dat. The executables derived from these two files are essentially the same and both have the same PDB path:

C:\Users\guss\Desktop\Recent Work\U\U_P\KilllSomeOne\0.1\Function_hex\hex\Release\hex.pdb

In these attacks, the encryption key used is the string “HELLO_USA_PRISIDENT.”

The payloads are used to deploy an installer and additional components for other DDL side-loading attacks in a number of directories and set “hidden” and “system” attributes for the files.

“The installer then closes the executable used in the initial stage of the attack, and starts a new instance of explorer.exe to side-load the dropped DLL component,” states Sophos. “This is an effort to conceal the execution.”

The malware also kills running processes with a name starting with “AAM,” and deletes the file associated with it in C:\ProgramData and C:\Users\All Users. This behavior aims at removing mechanism used to prevent such kind of infections. 

Before starting the data exfiltration, the malware perform multiple actions to ensure persistence, including the creation of a task that executes the side-loading executable that began the deployment:

schtasks /create /sc minute /mo 5 /tn LKUFORYOU_1 /tr

Sophos researchers believe that the TTPs adopted by the attackers is compatible with sophisticated APTs. 

“Based on our analysis, it’s not clear whether this group will go back to more traditional implants like PlugX or keep going with their own code,” Sophos concludes. “We will continue to monitor their activity to track their further evolution.”

To read the original article:


Interdit de copier  ce contenu