Cybersecurity experts have observed a surge in attacks leveraging a relatively unknown technique known as AppDomainManager Injection to execute malware on Windows systems.
Although the concept was publicly introduced in 2017, and several proof-of-concepts and explanatory blogs have been published since then, actual cases of its exploitation have been rare.
Recent incidents, however, suggest a potential increase in its use, possibly by nation-state-sponsored groups.
Attack Flow and Techniques
The attacks typically begin with the distribution of a ZIP file, either downloaded from a malicious website or attached to a spear phishing email. Inside the ZIP file is a malicious MSC file, which, when opened, triggers the attack.
A notable technique employed in these attacks is “GrimResource,” which allows malicious actions to be executed without requiring the user to click on any links within the MSC file.
These malicious MSC files are often disguised with icons resembling PDF or Windows certificate files, complicating detection by users.
The files exploit apds.dll using GrimResource to execute embedded JavaScript code, ultimately leading to the execution of a legitimate Microsoft binary, oncesvc.exe, with a malicious configuration.
According to the NTT report, Although it is somewhat obfuscated, the final VBScript code executed is as follows, which downloads and saves four files and executes oncesvc.exe, which is the legitimate Microsoft dfsvc.exe with only the file name changed.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-Day Free Trial
AppDomainManager Injection Explained
AppDomainManager Injection exploits the .NET Framework’s version redirection feature. By creating a configuration file (oncesvc.exe.config) with specific settings, attackers can manipulate a legitimate EXE file to load an external, malicious DLL.
This DLL contains a class inheriting from the AppDomainManager class, allowing attackers to execute harmful actions via the InitializeNewDomain function.
This technique is known among cybersecurity professionals but is not widely recognized in actual attack scenarios. It makes the malicious behavior appear as if it originates from a legitimate EXE file, complicating detection efforts.
The recent attacks have been linked to the use of CobaltStrike beacons, a tool often associated with advanced persistent threats (APTs).
Analysis suggests similarities with tactics used by APT41, a group known for targeting government and military organizations in Asia. Potential targets in this campaign include government agencies in Taiwan, the military in the Philippines, and energy organizations in Vietnam.
The relative obscurity and effectiveness of AppDomainManager Injection make it a potent tool for attackers, particularly those backed by nation-states.
Cybersecurity experts recommend that organizations enhance their detection capabilities to identify such attacks as it is more challenging to detect than conventional DLL side-loading.
The exploitation of AppDomainManager Injection in recent malware attacks highlights the evolving landscape of cyber threats. As attackers continue to innovate, understanding and mitigating such techniques becomes crucial for organizations worldwide.
Analyzing malware regularly and updating the signature for new threats to enhance vigilance and proactive security measures are essential to counteract these sophisticated threats.
Indicators of Compromise (IoC)
- krislab[.]site
- msn-microsoft[.]org
- s2cloud-amazon[.]com
- s3bucket-azure[.]online
- s3cloud-azure[.]com
- s3-microsoft[.]com
- trendmicrotech[.]com
- visualstudio-microsoft[.]com
- xtools[.]lol
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download