Researchers are left baffled with the task of unmasking a new and advanced APT (Advanced Persistent Threat) group that is targeting non-governmental organizations in the Southeast Asian nation Myanmar (formerly Burma).
Researchers have diagnosed the APT group to have a split personality based on the crude messages like “Killsomeone” being used in attack code strings coupled with advanced deployment and targeting techniques.
While the message can be easily found within the script, the targeting and deployment suggest the work to be of a serious APT group. Furthermore, it has been revealed that this group primarily relies on a cyberattack technique known as DLL side-loading, an attack method that gained popularity in China in 2013.
The fact that the country of the attacks origin and the country, in which the victims are based, are having border tensions brewing between them suggests that the gang is a Chinese APT.
Four distinct DLL side-loading scenarios deliver either a shell payload or plant a complex set of malware on systems. The base method of DLL side-loading is a type of application that appears to be legitimate and can often bypass weak security mechanisms such as application whitelisting. It gains additional permissions by Windows during its execution once it is trusted.
All four DLL side-loading scenarios execute malicious code and install backdoors in the networks of targeted organizations. The same program database path and plaintext strings are written in poor English with politically inspired messages are shared by all of them.
These cases that are reported are connected by their Program Database Path (PDP). All the cases share a similar path with several of them containing the folder name KilllSomeOne.
Sample strings of plain text in the KilllSomeOne malware code include “Happiness is a way station between too much and too little” and “HELLO_USA_PRISIDENT”.
The perpetrators of this kind that are behind targeted attacks come with very different skill sets and capabilities. Some are highly skilled while others lack the sophisticated sill set. However, this new group of attackers doesn’t fall on either end of the spectrum. They moved to more simple implementations in coding—especially in encrypting the payload.
To read more, please check eScan Blog
