Based on the embedded political messages and past uses of a China-linked backdoor malware, threat hunters suspect China state-sponsored hackers,
Threat hunters have recently uncovered attackers using DLL side-loading to execute malicious code and install backdoors in the networks of targeted organizations.
In four different DLL side-loading scenarios, non-governmental organizations (NGOs) and other entities in Myanmar were targeted. All shared the same program database path, and some carried a file named “KilllSomeOne” (sic).
Forensic findings
According to a report by Sophos threat hunters, the attackers had implemented a spin on the side-loading methods often associated with Chinese threat actors and used in the well-known PlugX backdoor.
Two of the scenarios delivered a payload carrying a simple shell, while the other two carried a more complex set of malware that can install and execute the payload and collect data on the target. Combinations from both sets were used in the same attacks.
The malware also looks for a running process name starting with AAM, probably because earlier PlugX side-loading scenarios used the file name ‘AAM Updates.exe.’ If the malware finds this file, it kills and deletes it. This suggests the KilllSomeOne backdoor was designed to remove earlier PlugX infections, either because the original attackers wanted to push out new code or because the attacks were implemented by a different group leveraging existing infrastructure.
The KilllSomeOne malware code includes several strings of plain text. The samples analyzed were written in poor English and with clear political messages. According to Sophos, it is unusual to find these types of political messages in what appears to be a nation-state threat, and it could mean less-professional cybercriminals are involved or the attackers inserted the messages to misdirect security researchers.
Said the firm’s threat research director Gabor Szappanos: “This is an intriguing new discovery and a good reminder that the operators behind advanced targeted attacks rarely are a homogeneous pool or even see themselves as a single entity. Individual contributors come with very different skill sets and capabilities. Some of them are highly-adept, while others are little more than your average cybercriminal.”
Serious APT group
The group responsible for the ‘KilllSomeOne’ attacks does not fall clearly at either end of the spectrum. For instance, said Szappanos, the perpetrators opted for fairly simple implementations in coding—especially in encrypting the payload—and the messages hidden in their samples are what you would expect from script kiddies.
“On the other hand, the targeting and deployment is that of a serious APT group. It’s not clear from our analysis whether this group will eventually return to more traditional implants like PlugX or keep going with its own code,” Szappanos concluded.