Today > | 13 High | 29 Medium | 8 Low vulnerabilities   -   You can now download lists of IOCs here!

Side Loading through IObit against Colombia

May 29, 2024, 11:30 a.m.

Description

In May 2024, researchers detected a phishing campaign impersonating the Colombian Attorney General's Office, aiming to infect systems with AsyncRAT malware. The attack employs a ZIP file containing legitimate IObit antivirus software and malicious files, utilizing DLL side-loading for execution. While sharing similarities with APT-C-36, the kill-chain differs from their previous campaigns, suggesting modified tactics. The infection chain involves the legitimate IObit executable loading a malicious DLL, creating processes for code injection, and ultimately deploying AsyncRAT via process hollowing. Persistence mechanisms include a startup link file and scheduled task.

Date

Published: May 29, 2024, 11:06 a.m.

Created: May 29, 2024, 11:06 a.m.

Modified: May 29, 2024, 11:30 a.m.

Indicators

d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50

372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12

1dd7ae853911217095d2254337bedecee7267eea1ac9d0840eaf13506f40c9ab

Attack Patterns

HijackLoader

AsyncRAT

APT-C-36

T1547.003

T1053.007

T1218.005

T1053.005

T1218.011

T1218.007

T1059.005

T1059.001

T1547.001

T1548.003

Additional Informations

Colombia