![]() There is usually a need to wait for the operating system to reboot. It’s important to note that this depends on whether the targeted process is antivirus-related. Waiting for the next process launch to take place.Any value deemed large enough is acceptable. Creating a new value, MinimumStackCommitInBytes, with 0x88888888 as its data.Modifying the registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\.This technique is a type of DoS attack that abuses undocumented MinimumStackCommitInBytes values in the IFEO registry key via the following steps: ![]() Once the process termination is completed, SPHijacker disables process execution by forcefully causing the targeted applications to crash upon launching, a technique we referred to earlier as stack rumbling. Note that many of these processes are for various security products: We listed the targeted processes for termination here. Malicious actors use this web shell to discover intranet information and deploy other pieces of malware and hacking tools on a compromised machine. As seen in this campaign, Behinder proved to be a powerful web shell variant that can support multiple backdoor functions, including file operation, remote command execution (RCE), interactive shell, and Socks5 proxy. Attack vectorsĮarth Longzhi’s new campaign samples showed a tendency to exploit public-facing applications, Internet Information Services (IIS) servers, and Microsoft Exchange servers to install Behinde r, a well-known web shell, rather than send pieces of document-based malware through email. This blog entry seeks to forewarn readers that Earth Longzhi remains active and continues to improve its tactics, techniques, and procedures (TTPs). We also found some interesting samples in our investigation that contained information not only on Earth Longzhi’s potential targets, but also techniques for possible use in future campaigns. This is a stealthy way to evade typical API monitoring. In addition, we’ve noticed that this campaign installs drivers as kernel-level services by using Microsoft Remote Procedure Call (RPC) instead of using general Windows application programming interfaces (APIs). We also found that Earth Longzhi uses a new way to disable security products, a technique we’ve dubbed “stack rumbling” via Image File Execution Options (IFEO), which is a new denial-of-service (DoS) technique. This recent campaign, which follows months of dormancy, abuses a Windows Defender executable to perform DLL sideloading while also exploiting a vulnerable driver, zamguard64.sys, to disable security products installed on the hosts via a bring-your-own-vulnerable-driver (BYOVD) attack. We discovered a new campaign by Earth Longzhi (a subgroup of APT41) that targets organizations based in Taiwan, Thailand, the Philippines, and Fiji.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |