293. That's How APT-Q-37 Abuses C# Compiler

Hello everyone!

As you know, adversaries may deliver malicious files to victims as uncompiled code. So today we'll look at an example of Obfuscated Files or Information: Compile After Delivery (T1027.004).

According to the reportAPT-Q-37 leveraged malicious XLAM files. The macro in the file decodes a copy of the backdoor source code data written in C# and saves it as C:\programdata\cayote.log. Then csc.exe is used to compile it as C:\Programdata\USOShared\vlcplayer.dll:

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /r:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Net.Http.dll" /target:library /out:C:\Programdata\USOShared\vlcplayer.dll "C:\Programdata\cayote.log"

For example, we can look for suspicious csc.exe executions for compiling a DLL under ProgramData folder:

event_type: "processcreatewin"

AND

proc_file_path: "csc.exe"

AND

cmdline: ("target:library" AND "programdata")

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

013. It Can Remove Rootkits. And Your EDR!