Thursday, December 5, 2024
HomeCyber Security NewsWorkings of MalSync Malware Unveiled: DLL Hijacking & PHP Malware

Workings of MalSync Malware Unveiled: DLL Hijacking & PHP Malware

Published on

SIEM as a Service

Researchers have discovered the workings of the MalSync malware known as the “DuckTail” or “SYS01”.

The analysis of the malware revealed the infection vectors, command line usage, malware capabilities, and other information.

The malware seems to have a targeted approach to stealing social media credentials and have capabilities of data extraction and detection evasion.

- Advertisement - SIEM as a Service

Moreover, the malware communicates with a command-and-control server for updating its configuration and receiving instructions.

MalSync Malware

According to Binary Defense’s reports, the index.php file handles device information collection, scheduled tasks, and data staging before exfiltration.

The analysis started with an alert raised due to suspicious PowerShell command line activity designed to add exclusions to Windows Defender.

Similar to other malware, this command was initiated by a svchost.exe process with elevated privileges.

Further analysis also revealed several executable files in the %AppData% directory. The list of files identified is as follows:

  • wdelua.exe
  • php.exe
  • rhc.exe

Though these files are used by legitimate installers and malware, the presence of these files in this specific directory raises suspicion.

Attack Chain

In addition, the file creation events in the malware showed a chain of executables which indicates a layered attack strategy.

The first part of the attack chain used an EXE file under the name “IMG_9597_One_Night_Stand_Li_Shaw – Gyeon_Jung_Hee_Studio – By_Gook_Changmin_Photographer.exe” that creates another EXE file “ts.exe”.

Following this, another two EXE files are created under the same name “cgcmpukluosgfec.exe”.

One of these files is a temporary file. After this, three other files are created such as rhc.exe, php.exe, and wdelua.exe alongside all the PHP libraries required for the attack chain.

The final part of the sequence is associated with the creation of a Scheduled search.

This search is used to communicate with the C2 server, download additional malware and create several other scheduled searches based on the C2’s response.

For luring users, the threat actor creates a file “WDSyncService.exe” which is capable of DLL search-order hijacking attack.

This DLL hijacking attack is performed by the use of WDSync.dll in the same directory that is loaded when the WDSyncService.exe is executed.

However, the original malware was found in the file named “updx-v2.5.23-setup.exe” which seems to be downloaded from an external source.

Further analysis of the malware executed through the MalSync’s IonCube PHP components had several other tactics such as identity theft, fraud and espionage activities.

Moreover, the index.php files consist of a large amount of PHP code that handles device information collection, task management, and data staging prior to exfiltration.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

I-O DATA Routers Command Injection Vulnerabilities Actively Exploited in Attacks

I-O DATA DEVICE, INC. has announced that several critical vulnerabilities in their UD-LT1 and...

ChatGPT Next Web Vulnerability Let Attackers Exploit Endpoint to Perform SSRF

Researchers released a detailed report on a significant security vulnerability named CVE-2023-49785, affecting the...

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...

Deloitte UK Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

I-O DATA Routers Command Injection Vulnerabilities Actively Exploited in Attacks

I-O DATA DEVICE, INC. has announced that several critical vulnerabilities in their UD-LT1 and...

ChatGPT Next Web Vulnerability Let Attackers Exploit Endpoint to Perform SSRF

Researchers released a detailed report on a significant security vulnerability named CVE-2023-49785, affecting the...

Cisco NX-OS Vulnerability Allows Attackers to Bypass Image Signature Verification

A critical vulnerability has been identified in the bootloader of Cisco NX-OS Software, potentially...