018. That's How Real Adversaries Abuse Wksprt.exe and Use DLL Proxying
Hello everyone! Cyble shared a research on a recent campaign targeting organizations in Germany. Two things caught my attention - abusing wksprt.exe (RemoteApp and Desktop Connection Runtime) for sideloading and using DLL proxying.
Interesting enough that the theat actors copied this legitimate file from the compromised system to a newly created folder using xcopy:
xcopy /Y /I C:\Windows\System32\wksprt.exe "C:\Users\<USER>\AppData\Local\InteI\"
This legitimate executable is used to sideload a malicious DLL (IPHLPAPI.dll), which loads renamed legitimate DLL (IPHLPLAPI.dll), both from the same folder. The malicious DLL acts as a proxy to forward function calls to the legitimate DLL. At the same time, the malicious DLL read the contents of the file ccache.dat to decrypt the shellcode and retrieve the final payload - a Sliver implant.
Despite the fact the adversary leverages quite sophisticated techniques like DLL proxying, the infection process is extremely noisy, for example:
- Copying system binary (wksprt.exe) to uncommon location
- System binary executed from uncommon location
- Renamed legitimate DLL (IPHLPLAPI.dll)
- Abusing xcopy for copying multiple files to uncommon location
- Suspicious LNK files in Startup folder
technikzwerg[.]de
83a70162ec391fde57a9943b5270c217d63d050aae94ae3efb75de45df5298be
f778825b254682ab5746d7b547df848406bb6357a74e2966b39a5fa5eae006c2
9b613f6942c378a447c7b75874a8fff0ef7d7fd37785fdb81b45d4e4e2d9e63d
86f8a979bd887955f0491a0ed5e00de2f3fe53e6eb5856fb823115ce43b7c0ca
See you tomorrow!
Comments
Post a Comment