KilllSomeOne Malware

A group of targeted attacks against non-governmental and other organizations based in Myanmar has been detected by malware researchers. While they have not been able to pinpoint the exact identity of the threat actor responsible for the attacks, enough evidence has been uncovered to suggest the involvement of a Chinese APT group.

Four different scenarios have so far been recorded as part of the harmful operations. All of them involve DLL-side loading techniques and reference a similar PDB path, as well as a folder named KillSomeOne. The code and sophistication between the different attacks show a great degree of discrepancy. Some incorporate simple implementations in coding while also containing almost amateurish messages hidden in their samples. However, at the same time, the highly targeted nature of the operation and the deployment of the malware payloads exhibit the characteristics of a serious APT (Advanced Persistent Threat) group.

The DLL Side-Loading and Threatening Payloads

The use of DLL side-loading is not a rare occurrence. After all, the technique has been around since at least 2013. It involves the use of a corrupted DLL file that is spoofing a legitimate one. As a result, legitimate Windows processes and executables get exploited to load and execute the corrupted code dropped by the threat actor.

In two of the four observed attack waves, the payload was stored in a file named Groza_1.dat. It is a PE loader shellcode that is responsible for decrypting the final payload, loading it into memory, and then executing it. This final payload consists of a DLL file carrying a simple remote command shell capable of connecting to a server with the 160.20.147.254 IP address on port 9999.

The other two scenarios of KillSomeOne DLL side-loading were more sophisticated significantly. Instead of a simple shell, they involved a complex installer capable of establishing a persistence mechanism and preparing the environment for the delivery of the final payload. While the payload files were different - adobe.dat and x32bridge.dat, they delivered nearly identical executables that also had the same PDB bath.