Workings of MalSync Malware Unveiled: DLL Hijacking & PHP Malware

Researchers have discovered the workings of the MalSync malware known as the “DuckTail” or “SYS01”.

The analysis of the malware revealed the infection vectors, command line usage, malware capabilities, and other information.

The malware seems to have a targeted approach to stealing social media credentials and have capabilities of data extraction and detection evasion.

Moreover, the malware communicates with a command-and-control server for updating its configuration and receiving instructions.

MalSync Malware

According to Binary Defense’s reports, the index.php file handles device information collection, scheduled tasks, and data staging before exfiltration.

The analysis started with an alert raised due to suspicious PowerShell command line activity designed to add exclusions to Windows Defender.

Similar to other malware, this command was initiated by a svchost.exe process with elevated privileges.

Further analysis also revealed several executable files in the %AppData% directory. The list of files identified is as follows:

  • wdelua.exe
  • php.exe
  • rhc.exe

Though these files are used by legitimate installers and malware, the presence of these files in this specific directory raises suspicion.

Attack Chain

In addition, the file creation events in the malware showed a chain of executables which indicates a layered attack strategy.

The first part of the attack chain used an EXE file under the name “IMG_9597_One_Night_Stand_Li_Shaw – Gyeon_Jung_Hee_Studio – By_Gook_Changmin_Photographer.exe” that creates another EXE file “ts.exe”.

Following this, another two EXE files are created under the same name “cgcmpukluosgfec.exe”.

One of these files is a temporary file. After this, three other files are created such as rhc.exe, php.exe, and wdelua.exe alongside all the PHP libraries required for the attack chain.

The final part of the sequence is associated with the creation of a Scheduled search.

This search is used to communicate with the C2 server, download additional malware and create several other scheduled searches based on the C2’s response.

For luring users, the threat actor creates a file “WDSyncService.exe” which is capable of DLL search-order hijacking attack.

This DLL hijacking attack is performed by the use of WDSync.dll in the same directory that is loaded when the WDSyncService.exe is executed.

However, the original malware was found in the file named “updx-v2.5.23-setup.exe” which seems to be downloaded from an external source.

Further analysis of the malware executed through the MalSync’s IonCube PHP components had several other tactics such as identity theft, fraud and espionage activities.

Moreover, the index.php files consist of a large amount of PHP code that handles device information collection, task management, and data staging prior to exfiltration.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges in Organizational Environments

A startling discovery by BeyondTrust researchers has unveiled a critical vulnerability in Microsoft Entra ID…

1 day ago

Threat Actors Exploit Google Apps Script to Host Phishing Sites

The Cofense Phishing Defense Center has uncovered a highly strategic phishing campaign that leverages Google…

1 day ago

Dadsec Hacker Group Uses Tycoon2FA Infrastructure to Steal Office365 Credentials

Cybersecurity researchers from Trustwave’s Threat Intelligence Team have uncovered a large-scale phishing campaign orchestrated by…

1 day ago

Beware: Weaponized AI Tool Installers Infect Devices with Ransomware

Cisco Talos has uncovered a series of malicious threats masquerading as legitimate AI tool installers,…

1 day ago

Pure Crypter Uses Multiple Evasion Methods to Bypass Windows 11 24H2 Security Features

Pure Crypter, a well-known malware-as-a-service (MaaS) loader, has been recognized as a crucial tool for…

1 day ago

Attackers Exploit Microsoft Entra Billing Roles to Escalate Privileges

A recent discovery by security researchers at BeyondTrust has revealed a critical, yet by-design, security…

1 day ago