AppDomainManager Injection Technique Used to Execute Malware on Windows

Aug. 26, 2024, 1:34 p.m.

Description

Cybersecurity specialists have observed an escalation in attacks employing the AppDomainManager Injection technique, which exploits the .NET Framework's version redirection feature to manipulate legitimate EXE files and load malicious DLLs. These attacks commonly begin with a ZIP file containing a malicious MSC file that triggers the execution of embedded JavaScript code, ultimately leading to the execution of a legitimate Microsoft binary with a malicious configuration. This relatively obscure technique, previously rare in actual attacks, is now being utilized more frequently, potentially by nation-state-sponsored groups targeting government agencies, military organizations, and energy companies in Asia.

External References

https://otx.alienvault.com/pulse/66cc7e972b3ba59b8b7360c3
Tags
windows
javascript
2024-08-26
msc
remote execution
appdomainmanager

Date

  • Created: Aug. 26, 2024, 1:09 p.m.
  • Published: Aug. 26, 2024, 1:09 p.m.
  • Modified: Aug. 26, 2024, 1:34 p.m.

Indicators

  • xtools.lol
  • visualstudio-microsoft.com
  • trendmicrotech.com
  • s3-microsoft.com
  • s3bucket-azure.online
  • s3cloud-azure.com
  • msn-microsoft.org
  • s2cloud-amazon.com
  • krislab.site
Download all indicators here!

Attack Patterns

  • APT41
  • T1189
  • T1574
  • T1203
  • T1105
  • T1036
  • T1204
  • T1027
  • T1195
  • T1059

Additional Informations

  • Energy
  • Defense
  • Government
  • Taiwan
  • Philippines