![]() Functions imported from Libvlc.dll by the VLC media player process Functions exported by the malicious Libvlc.dll Figure 5. It subsequently picks up and loads the malicious DLL and executes its malicious function.įigure 4. The vulnerable VLC media player process searches for the dropped file Libvlc.dll in the directory from which it was loaded. When run, the stage 1 malware drops both the VLC media player executable and the malicious Libvlc.dll in %TEMP% folder, and then runs the VLC media player process. The second file in the resources section is named 400, which is a DLL hijacker that impersonates the legitimate file Libvlc.dll. The first resource file is named 200, which is a legitimate version of VLC media player (Product Version: 2.2.1.0, File Version: 2.2.1). The decrypted malicious DLL contains two files embedded in the PE resources section. First DLL decryption function Stage 1: DLL side-loading and C&C communication The decryption routine is a simple XOR function that uses the decryption key “27729984h”.įigure 3. ![]() ![]() When the malicious InPage document is opened, it executes a shellcode that decrypts and executes an embedded malicious DLL file. The document exploits CVE-2017-12842, a vulnerability in InPage that allows arbitrary code execution. Entry point: Malicious InPage documentĪn email with a malicious InPage lure document attached was sent to select targets. Through the integration of Office 365 ATP and the rest of Microsoft security technologies in Microsoft Threat Protection, detection and remediation are orchestrated across our solutions. Additionally, endpoint detection and response (EDR) capabilities in Windows Defender ATP detects the DLL side-loading and malicious behavior observed in this attack. For example, Windows Defender Antivirus detects the malicious files and documents used in this attack. Office 365 ATP leverages massive threat intelligence from different data sources and integrates signals from multiple services such as Windows Defender ATP and Azure ATP. Office 365 ATP inspects email attachments and links for malicious content and provides real-time protection against attacks. Office 365 Advanced Threat Protection (ATP) protects customers from this attack by detecting the malicious InPage attachment in spear-phishing emails used in the campaign. The final malware allowed attackers to remotely execute arbitrary command on the compromised machine.The side-loaded malicious DLL called back to a command-and-control (C&C) site, which triggered the download and execution of the final malware encoded in a JPEG file format.The malicious document, which contained exploit code for CVE-2017-12824, a buffer-overflow vulnerability in InPage, dropped a legitimate but outdated version of VLC media player that is vulnerable to DLL hijacking.Spear-phishing email with a malicious InPage document with the file name hafeez saeed speech on 22nd April.inp was sent to the intended victims.The attack was orchestrated using the following approach: The Office 365 Research and Response team discovered this type of targeted attack in June. Beyond that, public research of these types of attacks has been limited. In the past, researchers at Palo Alto and Kaspersky have blogged about attacks that use malicious InPage documents. The targets included government institutions.įigure 1. More than 75% of the targets were located in Pakistan however, the attack also found its way into some countries in Europe and the US. The attack exploited a vulnerability in InPage, a word processor software for specific languages like Urdu, Persian, Pashto, and Arabic. Our analysis of a targeted attack that used a language-specific word processor shows why it’s important to understand and protect against small-scale and localized attacks as well as broad-scale malware campaigns. Microsoft Purview Data Lifecycle Management.Microsoft Purview Information Protection.Information protection Information protection.Microsoft Priva Subject Rights Requests.Microsoft Purview Communication Compliance.Microsoft Purview Insider Risk Management.Risk management & privacy Risk management & privacy.Microsoft Intune Enterprise Application Management.Microsoft Intune Endpoint Privilege Management.Endpoint security & management Endpoint security & management.Microsoft Defender External Attack Surface Management.Microsoft Defender Cloud Security Posture Mgmt.Microsoft Defender Vulnerability Management.Microsoft Entra ID (Azure Active Directory).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |