Security researchers at Sophos have discovered a series of attacks that used DLL side-loading to execute malicious code and install backdoors in the networks of targeted organizations. While the technique itself is not new and has been observed being used by Chinese APTs since 2013, the uncovered campaign carries a never-before-seen payload that “stands out because the threat actors used several plaintext strings written in poor English with politically inspired messages in their samples.”
Sophos said they observed attackers using four different DLL side-loading scenarios, which all share the same program database path and some of which carry a file named “KilllSomeOne.” Two of these delivered a payload carrying a simple shell, while the other two carried a more complex set of malware. Combinations from both of these sets were used in the same attacks.
Sample strings of plain text in the KilllSomeOne malware code include “Happiness is a way station between too much and too little” and “HELLO_USA_PRISIDENT”.
According to the researchers, the malware looks for a running process with a name starting with “AAM” then kills the process and deletes the file associated with it. “AAM Updates.exe” has been previously associated with the well-known PlugX backdoor often linked to Chinese state hackers. This MO suggests that the KilllSomeOne malware has been designed to remove earlier PlugX infections.
Based on the targeting of these attacks (the campaign was aimed at non-governmental organizations and other organizations in Myanmar) and some other characteristics of the malware, the researchers believe that the group involved is a Chinese APT.
“The types of perpetrators behind targeted attacks in general are not a homogeneous pool. They come with very different skill sets and capabilities. Some of them are highly skilled, while others don’t have skills that exceed the level of average cybercriminals,” the researchers wrote.
“The group responsible for the attacks we investigated in this report don’t clearly fall on either end of the spectrum. They moved to more simple implementations in coding—especially in encrypting the payload—and the messages hidden in their samples are on the level of script kiddies. On the other hand, the targeting and deployment is that of a serious APT group,” they added.