Workings of MalSync Malware Unveiled: DLL Hijacking & PHP Malware

Researchers have discovered the workings of the MalSync malware known as the “DuckTail” or “SYS01”.

The analysis of the malware revealed the infection vectors, command line usage, malware capabilities, and other information.

The malware seems to have a targeted approach to stealing social media credentials and have capabilities of data extraction and detection evasion.

Moreover, the malware communicates with a command-and-control server for updating its configuration and receiving instructions.

MalSync Malware

According to Binary Defense’s reports, the index.php file handles device information collection, scheduled tasks, and data staging before exfiltration.

The analysis started with an alert raised due to suspicious PowerShell command line activity designed to add exclusions to Windows Defender.

Similar to other malware, this command was initiated by a svchost.exe process with elevated privileges.

Further analysis also revealed several executable files in the %AppData% directory. The list of files identified is as follows:

• wdelua.exe
• php.exe
• rhc.exe

Though these files are used by legitimate installers and malware, the presence of these files in this specific directory raises suspicion.

Attack Chain

In addition, the file creation events in the malware showed a chain of executables which indicates a layered attack strategy.

The first part of the attack chain used an EXE file under the name “IMG_9597_One_Night_Stand_Li_Shaw – Gyeon_Jung_Hee_Studio – By_Gook_Changmin_Photographer.exe” that creates another EXE file “ts.exe”.

Following this, another two EXE files are created under the same name “cgcmpukluosgfec.exe”.

One of these files is a temporary file. After this, three other files are created such as rhc.exe, php.exe, and wdelua.exe alongside all the PHP libraries required for the attack chain.

The final part of the sequence is associated with the creation of a Scheduled search.

This search is used to communicate with the C2 server, download additional malware and create several other scheduled searches based on the C2’s response.

For luring users, the threat actor creates a file “WDSyncService.exe” which is capable of DLL search-order hijacking attack.

This DLL hijacking attack is performed by the use of WDSync.dll in the same directory that is loaded when the WDSyncService.exe is executed.

However, the original malware was found in the file named “updx-v2.5.23-setup.exe” which seems to be downloaded from an external source.

Further analysis of the malware executed through the MalSync’s IonCube PHP components had several other tactics such as identity theft, fraud and espionage activities.

Moreover, the index.php files consist of a large amount of PHP code that handles device information collection, task management, and data staging prior to exfiltration.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.