A malicious ISO image named Servicenow-BNM-Verify.iso was uploaded to VirusTotal from Malaysia with almost no detections.
The image contains four files—two openly visible and two hidden. The visible files include a Windows shortcut, servicenow-bnm-verify.lnk, which launches PanGpHip.exe, a legitimate Palo Alto Networks binary.
Hidden in the same ISO are libeay32.dll, a genuine OpenSSL library, and libwaapi.dll, a malicious DLL side-loaded by the Palo Alto executable.
servicenow-bnm-verify.lnk reveals key forensic metadata: the author’s machine (desktop-rbg1pik), username (john.GIB), and link creation timestamp of August 25, 2025, indicating the actor’s development environment, as per a report by Researcher.
Although the shortcut’s target path points to an “excluded” directory that does not exist on victim machines, the LNK file gracefully falls back to its own directory, ensuring PanGpHip.exe executes whenever the ISO is mounted.
DLL Side-Loading and Payload Injection
The core of the attack lies in libwaapi.dll. This library exports only one code-bearing function, wa_api_setup, which first hides the console window by invoking Windows GUI APIs.
It then checks for a mutex named 47c32025. If the mutex is absent, wa_api_setup calls a function we’ve renamed fn_payload_injection, which carries out in-memory payload injection.
That function computes the SHA-256 hash of the string “rdfY*&689uuaijs,” using the result as an RC4 key.
It deobfuscates the string “chakra.dll,” loads the legitimate Windows DLL from C:WindowsSystem32, locates its first executable section, makes it writable, zeros its contents, and base64-decodes a hidden payload stored in the DLL’s .data section.
After decrypting the data with RC4, it validates the payload’s integrity against a hard-coded SHA-256 value. If the check passes, memory permissions are restored and execution transfers into the injected payload.
The injected shellcode unpacks an embedded DLL via RtlDecompressBuffer using the LZNT1 algorithm with maximum compression.
The resulting DLL bears a fabricated timestamp of May 5, 1984, and implements its malicious behavior in its DllUnload export.
Initial analysis indicates module unhooking to evade detection. This final payload enters a loop that sends victim data to logsapi.azurewebsites[.]net/api/logs, hosting Azure Functions as its command and control backend.
By abusing Azure Functions, the threat actor leverages a scalable, serverless environment with event-driven triggers and bindings.
The malware sends an XML-formatted payload containing system metadata—architecture, uptime, OS build, computer and user names, running process, and other details.
This information is encrypted before transit but can be captured in its pre-encryption form, revealing the actor’s intent to profile compromised hosts precisely.
A similar DLL, sharing the same imphash, appeared on VirusTotal from Singapore on September 5, 2025, indicating a campaign spanning multiple regions.
Ongoing deobfuscation aims to reveal additional payload capabilities. A follow-up analysis will explore persistence mechanisms and any lateral movement routines discovered within this sophisticated Azure Functions-backed infrastructure.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
