Sometimes when investigating an infection and focusing on a targeted attack, we come across something we were not expecting. The case described below is one such occurrence.
In June 2022, we found a suspicious shellcode running in the memory of a system process. We decided to dig deeper and investigate how the shellcode was initially placed into the process and where on the infected system the threat was hidden.
The infection chain
We were unable to reproduce the whole infection procedure, but we were able to reconstruct it from the point at which PowerShell was executed, as shown in the sceme below.
General attack execution flow
In a nutshell, the infection chain is as follows:
PowerShell script runs via the Task Scheduler and downloads the lgntoerr.gif file from a remote server.
The script decrypts lgntoerr.gif, resulting in a .NET DLL, which is then loaded.
The .NET DLL extracts and decrypts three files from its resources: two DLLs and an encrypted payload. The extracted files are placed in the ProgramData directory.
The .NET DLL creates a task to autorun the legitimate ilasm.exe component at system startup via Task Scheduler.
Task Scheduler starts ilasm.exe from the ProgramData directory.
ilasm.exe launches fusion.dll, a malicious DLL hijacker, from the same directory.
fusion.dll loads the second decrypted DLL.
That DLL creates a suspended dllhost.exe process.
It then decrypts the payload from the encrypted binary file.
The decrypted payload is loaded into the dllhost.exe process as a DLL.
The PID of the dllhost.exe process is saved to a file in the ProgramData ..
Support the originator by clicking the read the rest link below.
