Operators Used Four Different DLL Side-Loading Scenarios To Install And Execute New Malware After Removing A Resident PlugX Backdoor. Targets And Tools Suggest Adversaries Are A Chinese APT Group

OXFORD, U.K.  — November 4, 2020 —

Sophos, a global leader in next-generation cybersecurity, has uncovered attackers using DLL side-loading to execute malicious code and install backdoors in the networks of targeted organizations. A report published today, “A New APT uses DLL Side-loads to Killl Someone,” outlines the discovery of four different DLL side-loading scenarios, which all share the same program database path and some of which carry a file named “KilllSomeOne.” The targeting of these attacks—against non-governmental organizations and other organizations in Myanmar—and other characteristics of the malware suggest that the attackers involved may be a Chinese APT group.

The attackers have implemented a spin on the side-loading methods often associated with Chinese threat actors and used in the well known PlugX backdoor. Two of the scenarios deliver a payload carrying a simple shell, while the other two carry a more complex set of malware that can install and execute the payload and collect data on the target. Combinations from both sets were used in the same attacks.

The malware also looks for a running process name starting with AAM, probably because earlier PlugX side-loading scenarios used the file name “AAM Updates.exe.” If the malware finds this file, it kills and deletes it. This suggests the KilllSomeOne backdoor was designed to remove earlier PlugX infections, either because the original attackers wanted to push out new code or because the attacks were implemented by a different group leveraging existing infrastructure.

The KilllSomeOne malware code includes several strings of plain text. The samples Sophos analyzed were written in poor English and with clear political messages. According to Sophos, it is unusual to find these types of political messages in what appears to be a nation-state threat, and it could mean less professional cybercriminals are involved or the attackers inserted the messages to misdirect security researchers.

“This is an intriguing new discovery and a good reminder that the operators behind advanced targeted attacks rarely are a homogeneous pool or even see themselves as a single entity. Individual contributors come with very different skill sets and capabilities. Some of them are highly adept, while others are little more than your average cybercriminal,” said Gabor Szappanos, threat research director, Sophos. “The group responsible for the ‘KilllSomeOne’ attacks doesn’t fall clearly at either end of the spectrum. For instance, the perpetrators opted for fairly simple implementations in coding—especially in encrypting the payload—and the messages hidden in their samples are what you’d expect from script kiddies. On the other hand, the targeting and deployment is that of a serious APT group. It’s not clear from our analysis whether this group will eventually return to more traditional implants like PlugX or keep going with its own code.”

Further information on KilllSomeOne can be found on SophosLabs Uncut where Sophos experts regularly publish their latest research and breakthrough findings. Threat researchers and IT managers can follow SophosLabs Uncut in real time on Twitter at @SophosLabs.

Human-led threat hunting and response help to identify and mitigate new and unknown threats. At Sophos,  these experts are available through Sophos Managed Threat Response and Sophos Rapid Response services.

About Sophos

Sophos is a worldwide leader and innovator of advanced cybersecurity solutions, including Managed Detection and Response (MDR) and incident response services and a broad portfolio of endpoint, network, email, and cloud security technologies that help organizations defeat cyberattacks. As one of the largest pure-play cybersecurity providers, Sophos defends more than 500,000 organizations and more than 100 million users globally from active adversaries, ransomware, phishing, malware, and more. Sophos’ services and products connect through its cloud-based Sophos Central management console and are powered by Sophos X-Ops, the company’s cross-domain threat intelligence unit. Sophos X-Ops intelligence optimizes the entire Sophos Adaptive Cybersecurity Ecosystem, which includes a centralized data lake that leverages a rich set of open APIs available to customers, partners, developers, and other cybersecurity and information technology vendors. Sophos provides cybersecurity-as-a-service to organizations needing fully-managed, turnkey security solutions. Customers can also manage their cybersecurity directly with Sophos’ security operations platform or use a hybrid approach by supplementing their in-house teams with Sophos’ services, including threat hunting and remediation. Sophos sells through reseller partners and managed service providers (MSPs) worldwide. Sophos is headquartered in Oxford, U.K. More information is available at www.sophos.com.