Fraud Management & Cybercrime , Governance & Risk Management , Next-Generation Technologies & Secure Development

Chinese Hacking Group Using Fresh DLL Side-Loading Attack

Sophos: APT Group Targeted Organizations In Southeast Asia
Chinese Hacking Group Using Fresh DLL Side-Loading Attack
A view of how malicious shellcode is loaded as part of the DLL attack (Source: Sophos)

A recently identified Chinese hacking group is using multiple Dynamic Link Library attack techniques to target non-government organizations in Southeast Asia, especially Myanmar, a report by security firm Sophos notes.

See Also: OnDemand | Understanding Human Behavior: Tackling Retail's ATO & Fraud Prevention Challenge

"We have identified four different side-loading scenarios that were used by the same threat actor," to install malware in the victims' Microsoft Windows devices for data exfiltration, Gabor Szappanos, a threat researcher with Sophos, notes in the report. "Two of these delivered a payload-carrying a simple shell, while the other two carried a more complex set of malware. Combinations from both of these sets were used in the same attacks."

The report further notes that this advanced persistent threat group appears to be a mix of sophisticated threat actors and less technical hackers.

"The types of perpetrators behind targeted attacks in general are not a homogeneous pool. They come with very different skill sets and capabilities. Some of them are highly skilled, while others don’t have skills that exceed the level of average cybercriminals," says Szappanos.

DLL Techniques

The Dynamic Link Library, or DLL, is a remote command shell that enables a connection to a server with a specific IP address on port 9999 and is used for data transmission. In the latest attacks, Sophos says the Chinese actors are using four distinct DLL side loading techniques, dubbed "KillSomeone" by the firm and based on its file naming properties, according to the report.

In the first two cases seen by Sophos, the attackers downloaded the payload codes, which contained a shellcode. When this binary was decrypted, the final payload was loaded into the memory of the targeted victims' devices and executed itself, according to the report.

In the case of the third and fourth DLL techniques, Sophos notes that the payloads downloaded a remote access Trojan, or RAT, to a victim's device. This malware proceeded to kill all the running processes, exfiltrated data from removable and non-removable drives and copy files to the device's Recycle Bin, according to the report.

The Trojan also exfiltrated system information, including volume names and free disk space, which were then sent to the attackers' command-and-control server, the report notes.

Since the DLL tactics used by the hackers range from the execution of simple shellcode to the deployment of sophisticated Trojans, the report notes this particular hacking group consists of threat actors with diverse experiences.

"The group responsible for the attacks we investigated in this report doesn't clearly fall on either end of the spectrum," Szappanos says. "They moved to more simple implementations in coding - especially in encrypting the payload - and the messages hidden in their samples are on the level of script kiddies. On the other hand, the targeting and deployment is that of a serious APT group."

Links to China

Sophos notes that the KillSomeone's DLL techniques are a spin-off of methods first seen in PlugX advanced persistent threat group operations.

"The targeting and deployment are that of a serious APT group," according to the Sophos report. "Based on our analysis, it's not clear whether this group will go back to more traditional implants like PlugX or keep going with their code. We will continue to monitor their activity to track their further evolution."

PlugX, which is also known as PKPLUG, is a Chinese hacking group that has been active since 2008 and uses a variety of malware as part of its espionage campaigns, according to security researchers.

Other threat groups have also been found using PlugX as part of their malware infrastructure. For instance, a report by Kaspersky found a data-stealing backdoor called ShadowPad used techniques similar to PlugX, and Winnti, another backdoor (see: Supply Chain Woes, Again: NetSarang Popped).

In 2019, researchers at Palo Alto Networks' Unit 42 found the group targeted victims in Myanmar, Taiwan, Vietnam, Indonesia, Mongolia, Tibet and Xinjiang (see: Report: 'PKPLUG' Espionage Campaign Targets Southeast Asia).

In 2018, the U.S. Justice Department indicted two Chinese intelligence officers and eight others for allegedly stealing trade secrets using malware such as Sakula, IsSpace, Winnti, and PlugX (see: US Again Indicts Chinese Intel Agents Over Hacking).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.