Warning Against Infostealer Infections Upon Executing Legitimate EXE Files (DLL Hijacking) – ASEC BLOG

Caution is advised as an Infostealer that prompts the execution of legitimate EXE files is actively being distributed.

The threat actor is distributing a legitimate EXE file with a valid signature and a malicious DLL compressed in the same directory. The EXE file itself is legitimate, but when executed in the same directory as the malicious DLL, it automatically runs that malicious DLL. This technique is called DLL hijacking and is often used in the distribution of malware.

The distribution of malware disguised as cracks and keygens for commercial software is also increasing the sample size of the DLL hijacking method. The distribution began in earnest around last May and has continued to spread actively since August to the present.

When searching for various cracked commercial software on search engines, malicious sites appear at the top, and clicking the Download button on these sites leads to various redirections before arriving at the ultimate distribution site. The downloaded file is an encrypted compressed RAR file, and the password is provided in the file name or on the distribution page. When this file is decompressed and the legitimate EXE file contained within is executed, the system becomes infected by the malware. The EXE files are mostly named setup.exe or Installer.exe and have valid signatures since most of them are the executable files of well-known software.

Figure 1. Webpages distributing the malware

The malicious DDL files are created by modifying a segment of legitimate DLL files. The modified code reads a specific data file in the same directory, decrypts it, then executes it. If the entire malware data were to be contained within the DLL files, the appearance of the files would be significantly altered, making them easier to detect. Therefore, it is suspected that this method is utilized so that malicious behavior can be performed while only altering the bare minimum of the original DLL files.

Figure 2. Similarity comparison between original DLL and malicious DLL

Ultimately, the data file, legitimate EXE file, and modified malicious DLL must all be located in the same directory for the malware to function. The data file is disguised as a PNG image file. The modified area of the malicious DLLs includes the end part of a certain function that must be executed in the EntryPoint execution flow, along with some code and data areas. All the code is encrypted and executed after being decrypted in the memory in order to evade code pattern detection. After execution, the malware has been observed to delete the malicious DLLs in order to erase traces.

The execution process of the malware is explained using the recently distributed sample below.

Legitimate EXE e634616d3b445fc1cd55ee79cf5326ea (vlc.exe)
Malicious DLL 58ea42289ae52e82ffcfa20071c32d7a (libvlccore.dll)
Final malware LummaC2 Stealer
C2 hxxp://hokagef[.]fun/api
Table 1. Sample information of example

Decompressing the password-protected compressed file downloaded from the distribution site using the password specified in the file name (“2023”) creates the following files.

Figure 3. Files inside the compressed file

The “Setup.exe” and “libvlc.dll” are legitimate components of the well-known software “VLC Media Player” and are valid files with legitimate signatures. The “libvlccore.dll” file is the modified malicious DLL file. The signatures do not match since a portion of the file was modified. The directories such as demux and lua are included as data to disguise the file as being legitimate but are unrelated to the actual execution of the malware.

Figure 4. Properties of the legitimate EXE
Figure 5. Properties of the malicious DLL

When the “Setup.exe” file is executed, the malicious DLL “libvlccore.dll” is automatically run. The end part of a certain function within the DLL EntryPoint execution flow has been modified in the malicious DLL. Consequently, the DLL EntryPoint is triggered upon loading the DLL, ultimately causing the execution of the code modified by the threat actor.

Figure 6. Left: Original DLL / Right: Malicious DLL with modified code

The functionality of this code is to locate and read the “ironwork.tiff” file in the same directory. It then reads and decrypts this file before executing it. This file is a data file that contains information on the code to be executed later. The file header is a PNG file, but it is filled with encrypted malicious data starting from the middle of the file.

Figure 7. Structure of the “ironwork.tiff” data file

It loads the “pla.dll” from the system directory (SysWow64) and injects the decrypted code into the code region of the DLL’s memory, followed by branching to that location. This method differs from the typical approach used by most malware, which involves allocating virtual memory to write code.

The API used in the subsequent step utilizes the NTDLL relocation technique. Even when executing “cmd.exe” and injecting code, it deviates from the typical code injection method. Instead of directly injecting code into the target process, it loads (DLL injection) “pla.dll” into the target process and then injects the malware into the code region of that DLL.

Figure 8. Modified code area of pla.dll that was loaded into cmd.exe

At this point, the necessary data file for malicious behaviors is written to the %TEMP% path. This file path is registered as a certain environment variable and inherited by the child process, which is “cmd.exe”.

Figure 9. Data file path and environment variable

cmd.exe has its EntryPoint modified to the code region of “pla.dll.” This code decrypts the file located at the path registered in the environment variable. It then generates the LummaC2 malware binary and proceeds to execute “explorer.exe”. Afterward, it injects the binary and executes it.

  • LummaC2 malware binary: 1d1ef4a4155edb56e8f3c8587fde8df0

The overall process tree structure is as follows.

Figure 10. Process tree of malware execution

LummaC2 is an Infostealer that can designate targets and install additional malware based on the responses it receives from its C2 server. It is capable of exfiltrating various sensitive data, including cryptocurrency wallets, information saved on browsers, information from applications like Steam, email client data, specific files in certain folders with particular extensions, and more.

The C2’s responses are composed of data and an XOR key, and when decrypted, they take the form of JSON-formatted data, as shown below. Responses from the C2 change periodically, leading to variations in its behavior in turn.

Figure 11. C2 response data of LummaC2

This distribution method infects systems via the execution of legitimate EXE files that belong to well-known software. The malicious DLLs closely resemble the original DLLs in appearance, making them different from simple EXE-based malware. Consequently, the initial detection rates by anti-malware vendors are considerably low, underscoring the need for caution from users.

Meanwhile, ASEC is actively monitoring and responding to this type of distributed malware using its automatic collection system and is responding quickly to variations that occur.

Figure 12. Information from VirusTotal

Aside from the example given in this post, various legitimate files and DLLs have also been abused. Information regarding the legitimate EXE and malicious DLL files used for distribution is as follows.

[IOC Information]

PSPad.exe Jan Fiala 4ec1a433d0c1e6b58da254b506e3444f libeay32.dll a3a0395dc0f15e2e92a55dcb7c3a7735
WizTree.exe Antibody Software Limited cce7eaa082751bdd6780707a9444964d winmm.dll c474b9effe72f11e73bfd8e2d5235108
WizTree64.exe Antibody Software Limited 50a40274ffe963e1f214f9f19746e29e winmm.dll 4474e26725db0e84d8418b25137d275b
InstallShield SetupSuite.exe Flexera Software LLC 696e066c4f3d52d5766e724afbdb3594 xmllite.dll 483ad6a57ea6cae5696841f07f1177f0
TSConfig.exe Flexera Software LLC 48c9a0c76b44a5f2729c876085adba4e FNP_Act_Installer.dll 89618931cf9487370542ca40509795a4
VBoxSVC.exe Oracle Corporation c8a2de7077f97d4bce1a44317b49ef41 VBoxRT.dll a860b368e9e2aa5cb4e7cb73607d18b1
SenseCE.exe 8f0717916432e1e4f3313c8ebde55210 MpGear.dll f362e88dd656c5512dbee66efffae107
palemoon.exe Mark Straver 64e3c6d6a396836e3c57b81e4c7c8f3b mozglue.dll 200499eacae55905e27d0b96314cb0c7
topoedit.exe Microsoft Corporation 88691dbfa349db78f96e3278d1afc943 tedutil.dll 8096e5aacfe4dc4ea1afe03ca254982a
vlc.exe VideoLAN e634616d3b445fc1cd55ee79cf5326ea libvlccore.dll 61762b4a21b0b7b479d2eac80b630c2e
Mergecap.exe Wireshark Foundation 23ba27d352305f29d201ac5e43fc4583 libglib-2.0-0.dll 4b8ac7aab387e01cfa2c53cad3ef69b1
AcroBroker.exe Adobe Systems, Incorporated a13bfe522abc659704965388ad4581ee sqlite.dll e74fb90de19d7cc0b01155f29e6c306f
VBoxTestOGL.exe Oracle Corporation ba99b11a84a19051eca441320af22f4e QtCoreVBox4.dll 4f688e1c75cbee5949af010cbc5d4057
vlc.exe VideoLAN e634616d3b445fc1cd55ee79cf5326ea libvlccore.dll 58ea42289ae52e82ffcfa20071c32d7a
TPAutoConnect.exe Cortado AG 1377ef7319507a10d135d5128ac9fbc8 TPSvc.dll 12e5c5c08049ecaa5e15d51bbe58fd41
Table 2. IOC information

C2

  • hxxp://go-vvv[.]com/hittest.php
  • hxxp://cloudsaled[.]xyz/
  • hxxp://cloudsaled[.]xyz/c2conf
  • hxxp://warnger[.]xyz/
  • hxxp://warnger[.]xyz/c2conf
  • hxxp://warnger[.]xyz/
  • hxxp://warnger[.]xyz/c2conf
  • hxxp://5.42.66[.]17/
  • hxxp://nursepridespan[.]fun/
  • hxxp://nursepridespan[.]fun/api
  • hxxp://paintpeasmou[.]fun/
  • hxxp://paintpeasmou[.]fun/api
  • hxxp://spreadbytile[.]fun/
  • hxxp://spreadbytile[.]fun/api
  • hxxp://willywilk[.]fun/api
  • hxxp://tfestv[.]fun/api
  • hxxp://hokagef[.]fun/api
  • hxxp://gonberusha[.]fun/api

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Source: https://asec.ahnlab.com/en/58319/