Side Loading through IObit against Colombia
May 29, 2024, 11:30 a.m.
Tags
External References
Description
In May 2024, researchers detected a phishing campaign impersonating the Colombian Attorney General's Office, aiming to infect systems with AsyncRAT malware. The attack employs a ZIP file containing legitimate IObit antivirus software and malicious files, utilizing DLL side-loading for execution. While sharing similarities with APT-C-36, the kill-chain differs from their previous campaigns, suggesting modified tactics. The infection chain involves the legitimate IObit executable loading a malicious DLL, creating processes for code injection, and ultimately deploying AsyncRAT via process hollowing. Persistence mechanisms include a startup link file and scheduled task.
Date
Published: May 29, 2024, 11:06 a.m.
Created: May 29, 2024, 11:06 a.m.
Modified: May 29, 2024, 11:30 a.m.
Indicators
d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50
372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12
1dd7ae853911217095d2254337bedecee7267eea1ac9d0840eaf13506f40c9ab
Attack Patterns
HijackLoader
AsyncRAT
APT-C-36
T1547.003
T1053.007
T1218.005
T1053.005
T1218.011
T1218.007
T1059.005
T1059.001
T1547.001
T1548.003
Additional Informations
Colombia