Operators Used Four Different DLL Side-Loading Scenarios To Install And Execute New Malware After Removing A Resident PlugX Backdoor. Targets And Tools Suggest Adversaries Are A Chinese APT Group

OXFORD, U.K.  — November 4, 2020 —

Sophos, a global leader in next-generation cybersecurity, has uncovered attackers using DLL side-loading to execute malicious code and install backdoors in the networks of targeted organizations. A report published today, “A New APT uses DLL Side-loads to Killl Someone,” outlines the discovery of four different DLL side-loading scenarios, which all share the same program database path and some of which carry a file named “KilllSomeOne.” The targeting of these attacks—against non-governmental organizations and other organizations in Myanmar—and other characteristics of the malware suggest that the attackers involved may be a Chinese APT group.

The attackers have implemented a spin on the side-loading methods often associated with Chinese threat actors and used in the well known PlugX backdoor. Two of the scenarios deliver a payload carrying a simple shell, while the other two carry a more complex set of malware that can install and execute the payload and collect data on the target. Combinations from both sets were used in the same attacks.

The malware also looks for a running process name starting with AAM, probably because earlier PlugX side-loading scenarios used the file name “AAM Updates.exe.” If the malware finds this file, it kills and deletes it. This suggests the KilllSomeOne backdoor was designed to remove earlier PlugX infections, either because the original attackers wanted to push out new code or because the attacks were implemented by a different group leveraging existing infrastructure.

The KilllSomeOne malware code includes several strings of plain text. The samples Sophos analyzed were written in poor English and with clear political messages. According to Sophos, it is unusual to find these types of political messages in what appears to be a nation-state threat, and it could mean less professional cybercriminals are involved or the attackers inserted the messages to misdirect security researchers.

“This is an intriguing new discovery and a good reminder that the operators behind advanced targeted attacks rarely are a homogeneous pool or even see themselves as a single entity. Individual contributors come with very different skill sets and capabilities. Some of them are highly adept, while others are little more than your average cybercriminal,” said Gabor Szappanos, threat research director, Sophos. “The group responsible for the ‘KilllSomeOne’ attacks doesn’t fall clearly at either end of the spectrum. For instance, the perpetrators opted for fairly simple implementations in coding—especially in encrypting the payload—and the messages hidden in their samples are what you’d expect from script kiddies. On the other hand, the targeting and deployment is that of a serious APT group. It’s not clear from our analysis whether this group will eventually return to more traditional implants like PlugX or keep going with its own code.”

Further information on KilllSomeOne can be found on SophosLabs Uncut where Sophos experts regularly publish their latest research and breakthrough findings. Threat researchers and IT managers can follow SophosLabs Uncut in real time on Twitter at @SophosLabs.

Human-led threat hunting and response help to identify and mitigate new and unknown threats. At Sophos,  these experts are available through Sophos Managed Threat Response and Sophos Rapid Response services.

About Sophos

Sophos is a cybersecurity leader protecting 600,000 organisations worldwide with an AI-driven platform and expert-led services. Sophos meets organisations wherever they are in their security maturity and grows with them to defeat cyberattacks. Its solutions combine machine learning, automation, and real-time threat intelligence with frontline human expertise from Sophos X-Ops to deliver advanced, 24/7 threat monitoring, detection, and response.
Sophos offers industry-leading managed detection and response (MDR) alongside a comprehensive portfolio of cybersecurity technologies — including endpoint, network, email, and cloud security, extended detection and response (XDR), identity threat detection and response (ITDR), and next-generation SIEM. Alongside expert advisory services, these capabilities assist organisations in proactively mitigating risk and responding more quickly, with the visibility and scalability required to stay ahead of evolving threats.
Sophos enters the market with a global partner ecosystem, including Managed Service Providers (MSPs), Managed Security Service Providers (MSSPs), resellers and distributors, marketplace integrations, and cyber risk partners, offering organisations the flexibility to select trusted relationships when securing their business.  Sophos is headquartered in Oxford, UK. More information is available at www.sophos.com.