A new Chinese ATF group, called KilllSomeOne, has emerged in the midst of a threat to companies in Myanmar.
A new Chinese group, APT, pursued under the name KilllSomeOne, has been discovered by Sophos researchers. An advanced cyber-espionage group attacks business organizations in Myanmar with DLL attacks.
The name KilllSomeOne comes from the expression KilllSomeOne, which is used in sideload DLL attacks. The group uses poorly-written English information on political issues.
Lateral loading of the Dynamic Link Library (DLL) uses the way Microsoft Windows applications work with DLL files. In these types of attacks, the malware deposits a fake malicious DLL file in the Windows WinSxS folder, so that the operating system downloads it instead of a legitimate file.
This method has been used by other Chinese APT groups since 2013 and has subsequently been adopted by other cybercriminal gangs in wild attacks.
According to Sophos researchers, APT KilllSomeOne’s campaigns combine four different types of secondary attacks.
We’ve identified four different secondary locations used by a single threat actor. Two of them delivered a load with a simple shell, while the other two delivered a more complex amount of malware. Combinations of the two sets were used in the same attacks.
Each type of attack connects to the same APB path, and some of the recorded examples associated with the attackers are the KilllSomeOne folder name.
In the first attack scenario, hackers use Microsoft’s antivirus component to download the mpsvc.dll file, which serves as a loader for the Groza_1.dat file. Attackers use a simple XOR encryption algorithm with the Hapenexx string as the key.
In the second attack scenario, hackers use an example that uses AUG.exe, a loading program called dismcore.dll. The APT group uses the same load and key as in the previous scenario, with the only difference that the file name and decryption key are encrypted with a one-byte XOR algorithm.
In both cases, the load is stored in the Groza_1.dat file. The content of this file is a PE boot loader shell code that decodes, loads into memory, and executes the final load. The first level of the Loader code contains an unused line: American USA. Further analysis.
The other two observed KillSomeOne DLL types provide the installer for a simple shell, using two different payload files called adobe.dat and x32bridge.dat. The executable files generated from these two files are essentially the same, and both have the same path to the APB:
C:User GuideDesktopRecent WorkUUU_PKilllSomeOne.1Function_hexhexReleasehex.pdb
These attacks use the encryption key – the string HELLO_USA_PRISIDENT.
The payload is used to implement the installer and additional components for other DDL attacks in a series of directories and to install hidden and system attributes for files.
The installer then closes the executable file used in the initial phase of the attack and launches a new instance of explorer.exe to load the dropped DLL components sideways, Sophos explains. It’s an attempt to cover up the execution.
The malware also kills running processes whose names start with AAM and removes the corresponding file in C: ProgramData and C: UsersAll Users. This behavior is intended to eliminate the mechanism used to prevent this type of infection.
Before the data is filtered, the malicious code performs several actions to ensure continuity, including creating a task that runs the executable file with the side load from which the installation was started :
Lot/Create /sc Minute /mo 5 /tn LKUFORYOU_1 /tr
Sophos researchers believe that the TTP accepted by attackers is compatible with complex TPAs.
Based on our analysis, it is not clear whether this group will return to more traditional implants such as PlugX or continue to work with their own code, Sophos concludes. We will continue to monitor their activities to see how they develop.
(Security issues – Hacking, KilllSomeOne)
cyber monitor github,aptnotes,malpedia,mitre att&ck,list of apt groups,advanced persistent threat examples,apt35,advanced persistent threat solutions,apt34,apt 30