ADVERTISEMENT

Taiwan government targeted by multiple cyberattacks in April 2020

Teenage Hacker Girl Attacks Corporate Servers in Dark, Typing on Red Lit Laptop Keyboard. Room is Da
Oct 21, 2020 Updated: 21 March 2022 4 min read
CyCraft AIR assigns Threat Level 10 to the most severe and most damaging malware.

Highlighted Tactics

  • DLL hijacking to stealthily trigger next stage malware
  • Enlarging binary size to bypass scanning protocols
  • Heaven’s Gate to avoid antivirus detection
  • Forcing DLLs to unload to obfuscate malware
  • Padding memory with Kernel32 content to confuse analyses

Network Level Activity

System Level Activity

DLL Hijacking

What is DLL Hijacking?

DLL Hijacking Flowchart
Next-Stage MalwareC[:]\PROGRAM FILES\XYZ\AGENT\ExportAgentConfig[.]datC[:]\Windows\PolicyDefinitions\TrayBar.admx
Malicious machinations are lurking within LOG4C.DLL
SECUFILE.DLL is up to no good. CyCraft AIR detected the malware within the DLL.

Increased Size

Size Matters

Windows IKEEXT Service Abuse

WLBSCTRL.DLL

Waterbear Loader Malware Analysis

File Metadata

filename: libgid.dll
md5: e3be074e0da9ba0c3201ceea4dd972d6
sha1: cd8f49e467cf2f630c7f3b38a2e4c30e7bac6466
sha256: e69690e4f94a60678aefc3adb80eef484bb5ca4285a2d3aabc1bb8d975fb7610
filetype: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
family: Waterbear Loader

Indicator

file_path: C[:]\Windows\PolicyDefinitions\TrayBar.admx
ADVERTISEMENT

RICH Header

What is Heaven’s Gate?

This antivirus evasion technique permits 32-bit malware to hide API calls by switching to a 64-bit environment. Malware typically remains hidden inside the loader making it difficult for the AV to detect.
While Heaven’s Gate was first considered to be an advanced technique, over the last decade the Heaven’s Gate exploit has been observed in more and more rootkits as well as other malware, such as the infamous Emotet trojan.
Even though usage of the Heaven’s Gate spread, Microsoft’s release of Control Flow Guard (CFG) in Windows 10 immediately hindered the exploit’s effectiveness as CFG prevented code jumps from WoW64 32-bit execution to native 64-bit code execution space. However, like most exploits, attackers still equip them when targeting legacy systems and the like — further demonstrating the need for organizations to update defenses early and update them often.

Behavior

  1. Waterbear Loader first checks whether the current execution context is WoW64, and looks for Winmgmt, sens, Wuauserv, LanmanServer to inject the shellcode.
  2. Then, Waterbear Loader uses xor to decrypt strings in file with key 0x2a361c78
  3. Waterbear Loader reads the encrypted payload. In this case: C:\Windows\PolicyDefinitions\TrayBar.admx
  4. Then uses RC4 to decrypt it with key: 690c402f435878175d454028455a751b5372791e4358750c4359720b76626e1953747d0a0457781552361c78
  5. In an attempt to further confuse analysis, Waterbear Loader padded contents from Kernel32.dll in front of and behind their shellcode.
  6. Used x64_InjectShellcode to inject shellcode to the previously found service by Heaven’s Gate.
  7. In the end, the LdrData data is modified and forced to free the library by FreeLibraryAndExitThread.

MITRE ATT&CK®

Persistence

Privilege Escalation

Defense Evasion

Lateral Movement

IOCs

IOCS                                 NAME30DDEFC3093AFD7075A74BE30A381A3D     SQLWVSS.DLLC6EE3CEED5ADA7EE23FEB0E0CEA95193     IGTERM.DLL8B4631B618D2B516A3D3EBC38B25D267     OCI.DLL2FAAFC5D2C4BC6DE4D0B73B34FB7B379     SECUFILE.DLL E3BE074E0DA9BA0C3201CEEA4DD972D6     LIBGID.DLL F44805399017DAECF9E37F7190BCF699     WLBSCTRL.DLL F10034D1D8F90F36FEA602A4128BAEBC     SQLWVSS_NT.DLL 49D6C7FD1D47F345F64EEA6DA8591084     LOG4C.DLL AE63EBAE30678DA8A7314A9427747BBE     LIBGID.DLL 48AA2A38E5125C4E0E4A069C473F67FC     LOG4C.DLL

Mitigation

ADVERTISEMENT