Thai Officials Targeted in Yokai Backdoor Campaign Using DLL Side-Loading Techniques

Thai Officials Targeted in Yokai Backdoor Campaign Using DLL Side-Loading Techniques

Thai government officials have emerged as the target of a new campaign that leverages a technique called DLL side-loading to deliver a previously undocumented backdoor dubbed Yokai.

"The target of the threat actors were Thailand officials based on the nature of the lures," Nikhil Hegde, senior engineer for Netskope's Security Efficacy team, told The Hacker News. "The Yokai backdoor itself is not limited and can be used against any potential target."

The starting point of the attack chain is a RAR archive containing two Windows shortcut files named in Thai that translate to "United States Department of Justice.pdf" and "United States government requests international cooperation in criminal matters.docx."

The exact initial vector used to deliver the payload is currently not known, although Hegde speculated that it would likely be spear-phishing due to the lures employed and the fact that RAR files have been used as malicious attachments in phishing emails.

Launching the shortcut files causes a decoy PDF and Microsoft Word document to be opened, respectively, while also dropping a malicious executable stealthily in the background. Both the lure files relate to Woravit Mektrakarn, a Thai national who is wanted in the U.S. in connection with the disappearance of a Mexican immigrant. Mektrakarn was charged with murder in 2003 and is said to have fled to Thailand.

The executable, for its part, is designed to drop three more files: A legitimate binary associated with the iTop Data Recovery application ("IdrInit.exe"), a malicious DLL ("ProductStatistics3.dll"), and a DATA file containing information sent by an attacker-controlled server. In the next stage, "IdrInit.exe" is abused to sideload the DLL, ultimately leading to the deployment of the backdoor.

Yokai is responsible for setting up persistence on the host and connecting to the command-and-control (C2) server in order to receive command codes that allow it to spawn cmd.exe and execute shell commands on the host.

The development comes as Zscaler ThreatLabz revealed it discovered a malware campaign leveraging Node.js-compiled executables for Windows to distribute cryptocurrency miners and information stealers such as XMRig, Lumma, and Phemedrone Stealer. The rogue applications have been codenamed NodeLoader.

The attacks employ malicious links embedded in YouTube video descriptions, leading users to MediaFire or phony websites that urge them to download a ZIP archive that is disguised as video game hacks. The end goal of the attacks is to extract and run NodeLoader, which, in turn, downloads a PowerShell script responsible for launching the final-stage malware.

"NodeLoader uses a module called sudo-prompt, a publicly available tool on GitHub and npm, for privilege escalation," Zscaler said. "The threat actors employ social engineering and anti-evasion techniques to deliver NodeLoader undetected."

It also follows a spike in phishing attacks distributing the commercially available Remcos RAT, with threat actors giving the infection chains a makeover by employing Visual Basic Script (VBS) scripts and Office Open XML documents as a launchpad to trigger the multi-stage process.

In one set of attacks, executing the VBS file leads to a highly obfuscated PowerShell script that downloads interim payloads, ultimately resulting in the injection of Remcos RAT into RegAsm.exe, a legitimate Microsoft .NET executable.

The other variant entails using an Office Open XML document to load an RTF file that's susceptible to CVE-2017-11882, a known remote code execution flaw in Microsoft Equation Editor, to fetch a VBS file that subsequently proceeds to fetch PowerShell in order to inject Remcos payload into the memory of RegAsm.exe.

It's worth pointing out that both methods avoid leaving writing files to disk and load them into valid processes in a deliberate attempt to evade detection by security products.

"As this remote access trojan continues to target consumers through phishing emails and malicious attachments, the need for proactive cybersecurity measures has never been more critical," McAfee Labs researchers said.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.