AppDomainManager Injection Technique Used to Execute Malware on Windows
Aug. 26, 2024, 1:34 p.m.
Tags
External References
Description
Cybersecurity specialists have observed an escalation in attacks employing the AppDomainManager Injection technique, which exploits the .NET Framework's version redirection feature to manipulate legitimate EXE files and load malicious DLLs. These attacks commonly begin with a ZIP file containing a malicious MSC file that triggers the execution of embedded JavaScript code, ultimately leading to the execution of a legitimate Microsoft binary with a malicious configuration. This relatively obscure technique, previously rare in actual attacks, is now being utilized more frequently, potentially by nation-state-sponsored groups targeting government agencies, military organizations, and energy companies in Asia.
Date
Published: Aug. 26, 2024, 1:09 p.m.
Created: Aug. 26, 2024, 1:09 p.m.
Modified: Aug. 26, 2024, 1:34 p.m.
Indicators
xtools.lol
visualstudio-microsoft.com
trendmicrotech.com
s3-microsoft.com
s3bucket-azure.online
s3cloud-azure.com
msn-microsoft.org
s2cloud-amazon.com
krislab.site
Attack Patterns
APT41
T1189
T1574
T1203
T1105
T1036
T1204
T1027
T1195
T1059
Additional Informations
Energy
Defense
Government
Taiwan
Philippines