018. That's How Real Adversaries Abuse Wksprt.exe and Use DLL Proxying

Hello everyone! Cyble shared a research on a recent campaign targeting organizations in Germany. Two things caught my attention - abusing wksprt.exe (RemoteApp and Desktop Connection Runtime) for sideloading and using DLL proxying.


Interesting enough that the theat actors copied this legitimate file from the compromised system to a newly created folder using xcopy:

xcopy /Y /I C:\Windows\System32\wksprt.exe "C:\Users\<USER>\AppData\Local\InteI\"

This legitimate executable is used to sideload a malicious DLL (IPHLPAPI.dll), which loads renamed legitimate DLL (IPHLPLAPI.dll), both from the same folder. The malicious DLL acts as a proxy to forward function calls to the legitimate DLL. At the same time, the malicious DLL read the contents of the file ccache.dat to decrypt the shellcode and retrieve the final payload - a Sliver implant.

Despite the fact the adversary leverages quite sophisticated techniques like DLL proxying, the infection process is extremely noisy, for example:

  • Copying system binary (wksprt.exe) to uncommon location
  • System binary executed from uncommon location
  • Renamed legitimate DLL (IPHLPLAPI.dll)
  • Abusing xcopy for copying multiple files to uncommon location
  • Suspicious LNK files in Startup folder
Also, here's a list of indicators from the report:

technikzwerg[.]de

83a70162ec391fde57a9943b5270c217d63d050aae94ae3efb75de45df5298be

f778825b254682ab5746d7b547df848406bb6357a74e2966b39a5fa5eae006c2

9b613f6942c378a447c7b75874a8fff0ef7d7fd37785fdb81b45d4e4e2d9e63d

86f8a979bd887955f0491a0ed5e00de2f3fe53e6eb5856fb823115ce43b7c0ca

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!