It is somewhat usual for tools and methodologies to be allowed to share throughout the nebula of Chinese threat actors. The infamous "DLL side-loading triad" is one of that kind of example. The side-loading-dynamic link library (DLL) is an extremely effective method of cyber-attack that benefits from the management of DLL files by Microsoft Windows applications. A genuine executioner, a malicious DLL, and an encrypted payload have usually been dropped from a self-extraction file. Initially regarded as the LuckyMouse signature, developers observed that other organizations were using a similar 'triad' like HoneyMyte. Although it indicates that attacks depending only on this technique cannot be attributed, the efficient prevention of such triads shows increasing malicious activity.
A malware sample has been identified by researchers knows as FoundCore Loader which is configured to attack high-profile organizations in Vietnam. As per the high-level perspective of the researchers, the virus chain follows an execution that starts from the – FINDER.exe (a genuine MS Outlook file) which side loads to the outbill.dll (a malicious loader ) that eventually hijacks the flow of the execution and decrypts and runs a Shellcode placed in a rdmin.src file ( that is a malicious loader companion).
The FoundCore payload is the final payload that is a remote access tool that provides its operators with complete control of the victim machine. This malware begins with 4 threads when it is executed. The first one determines persistence through the development of a service. The second establishes unclear information for the system by modifying its fields like 'Description,' 'Image Path,' 'Display Name' (among others). The third set the vacant DACL ("D:P" SDDL) image for the curr ..