Side Loading through IObit against Colombia

May 29, 2024, 11:30 a.m.

Description

In May 2024, researchers detected a phishing campaign impersonating the Colombian Attorney General's Office, aiming to infect systems with AsyncRAT malware. The attack employs a ZIP file containing legitimate IObit antivirus software and malicious files, utilizing DLL side-loading for execution. While sharing similarities with APT-C-36, the kill-chain differs from their previous campaigns, suggesting modified tactics. The infection chain involves the legitimate IObit executable loading a malicious DLL, creating processes for code injection, and ultimately deploying AsyncRAT via process hollowing. Persistence mechanisms include a startup link file and scheduled task.

External References

https://otx.alienvault.com/pulse/66570c1afb9df27ddda04dc9
Tags
phishing
asyncrat
2024-05-29
dllsideloading
processhollowing

Date

  • Created: May 29, 2024, 11:06 a.m.
  • Published: May 29, 2024, 11:06 a.m.
  • Modified: May 29, 2024, 11:30 a.m.

Indicators

  • d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50
  • 372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12
  • 1dd7ae853911217095d2254337bedecee7267eea1ac9d0840eaf13506f40c9ab
Download all indicators here!

Attack Patterns

  • HijackLoader
  • AsyncRAT
  • APT-C-36
  • T1547.003
  • T1053.007
  • T1218.005
  • T1053.005
  • T1218.011
  • T1218.007
  • T1059.005
  • T1059.001
  • T1547.001
  • T1548.003

Additional Informations

  • Colombia