New APT hacking group leverages ‘KilllSomeOne’ DLL side-loading

A new entry into the APT scene has peppered its malware with political messages.
Written by Charlie Osborne, Contributing Writer

A new, Chinese advanced persistent threat (APT) group making the rounds performs DLL side-loading attacks including the phrase "KilllSomeOne."

According to Sophos researcher Gabor Szappanos, the group -- suspected to be of Chinese origin -- is targeting corporate organizations in Myanmar using poorly-written English messages relating to political subjects. 

Side-loading utilizes DLL spoofing to abuse legitimate Windows processes and execute malicious code. While nothing new, Sophos said in a blog post on Wednesday that this APT combines four separate types of side-loading attack when carrying out targeted campaigns. 

Each attack type is connected by the same program database (PDB) path, and some of the samples recorded and connected to the cybercriminals contain the folder name "KilllSomeOne."

See also: Promethium APT attacks surge, new Trojanized installers uncovered

"Two of these delivered a payload carrying a simple shell, while the other two carried a more complex set of malware," Sophos says. "Combinations from both of these sets were used in the same attacks."

In the first scenario, a Microsoft antivirus component is used to load mpsvc.dll, a malicious loader for Groza_1.dat. While encryption is in play, it is nothing more than a simple XOR algorithm and the key is the string: "Hapenexx is very bad."

The second sample leverages AUG.exe, a loader called dismcore.dll, and the same payload and key are used -- but in this case, both the file name and decryption key are encrypted with a one-byte XOR algorithm.

The Groza_1.dat payload is PE shellcode which loads the final payload into memory for execution, connecting to a command-and-control (C2) server which could be used to issue commands or deploy additional malware. An unused string called "AmericanUSA" was also noted. 

The other two samples, using payload file names adobe.dat and x32bridge.dat, are more sophisticated and use a shell to establish persistence, for obfuscation, and to "prepare file space for collecting data," the researchers say. 

CNET: Election still too close to call: How to spot misinformation while you wait for results

One notable difference is a change in the encryption key, using the string "HELLO_USA_PRISIDENT."

The payloads will deploy an installer and additional components for another DDL side-loading set of attacks in a number of directories and will assign the files "hidden" and "system" attributes. 

"The installer then closes the executable used in the initial stage of the attack, and starts a new instance of explorer.exe to side-load the dropped DLL component," the team says. "This is an effort to conceal the execution."

The malware will also wipe out running processes that could interfere with side-loading attempts, creates a registry key to establish persistence, and begins to exfiltrate data.  

TechRepublic: It's an urgent plea this Election Day: Don't click on ransomware disguised as political ads

According to the researchers, the APT doesn't fit in neatly with standard cyberattack group descriptives as the messages hidden in their samples and the simple implementation of much of their coding leans toward script-kiddie levels -- but at the same time, the targeting and deployment strategy is more commonly associated with sophisticated APTs. 

"Based on our analysis, it's not clear whether this group will go back to more traditional implants like PlugX or keep going with their own code," Sophos says. "We will continue to monitor their activity to track their further evolution."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards