Workings of MalSync Malware Unveiled: DLL Hijacking & PHP Malware

Researchers have discovered the workings of the MalSync malware known as the “DuckTail” or “SYS01”.

The analysis of the malware revealed the infection vectors, command line usage, malware capabilities, and other information.

The malware seems to have a targeted approach to stealing social media credentials and have capabilities of data extraction and detection evasion.

Moreover, the malware communicates with a command-and-control server for updating its configuration and receiving instructions.

MalSync Malware

According to Binary Defense’s reports, the index.php file handles device information collection, scheduled tasks, and data staging before exfiltration.

The analysis started with an alert raised due to suspicious PowerShell command line activity designed to add exclusions to Windows Defender.

Similar to other malware, this command was initiated by a svchost.exe process with elevated privileges.

Further analysis also revealed several executable files in the %AppData% directory. The list of files identified is as follows:

  • wdelua.exe
  • php.exe
  • rhc.exe

Though these files are used by legitimate installers and malware, the presence of these files in this specific directory raises suspicion.

Attack Chain

In addition, the file creation events in the malware showed a chain of executables which indicates a layered attack strategy.

The first part of the attack chain used an EXE file under the name “IMG_9597_One_Night_Stand_Li_Shaw – Gyeon_Jung_Hee_Studio – By_Gook_Changmin_Photographer.exe” that creates another EXE file “ts.exe”.

Following this, another two EXE files are created under the same name “cgcmpukluosgfec.exe”.

One of these files is a temporary file. After this, three other files are created such as rhc.exe, php.exe, and wdelua.exe alongside all the PHP libraries required for the attack chain.

The final part of the sequence is associated with the creation of a Scheduled search.

This search is used to communicate with the C2 server, download additional malware and create several other scheduled searches based on the C2’s response.

For luring users, the threat actor creates a file “WDSyncService.exe” which is capable of DLL search-order hijacking attack.

This DLL hijacking attack is performed by the use of WDSync.dll in the same directory that is loaded when the WDSyncService.exe is executed.

However, the original malware was found in the file named “updx-v2.5.23-setup.exe” which seems to be downloaded from an external source.

Further analysis of the malware executed through the MalSync’s IonCube PHP components had several other tactics such as identity theft, fraud and espionage activities.

Moreover, the index.php files consist of a large amount of PHP code that handles device information collection, task management, and data staging prior to exfiltration.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware has…

7 hours ago

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as a…

7 hours ago

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black Banshee,”…

8 hours ago

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear phishing…

8 hours ago

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update…

11 hours ago

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded by…

12 hours ago