Sophos Uncovers Attackers Targeting Non-Governmental Organizations in Myanmar With New ‘KilllSomeOne’ Backdoor – GlobeNewswire

admin on November 4, 2020 Leave a Comment

Operators Used Four Different DLL Side-Loading Scenarios To Install And Execute New Malware After Removing A Resident PlugX Backdoor

Targets and Tools Suggest Adversaries are a Chinese APT Group

OXFORD, United Kingdom, Nov. 04, 2020 (GLOBE NEWSWIRE) -- Sophos, a global leader in next-generation cybersecurity, has uncovered attackers using DLL side-loading to execute malicious code and install backdoors in the networks of targeted organizations. A report published today, A New APT uses DLL Side-loads to Killl Someone, outlines the discovery of four different DLL side-loading scenarios, which all share the same program database path and some of which carry a file named KilllSomeOne. The targeting of these attacksagainst non-governmental organizations and other organizations in Myanmarand other characteristics of the malware suggest that the attackers involved may be a Chinese APT group.

The attackers have implemented a spin on the side-loading methods often associated with Chinese threat actors and used in the well known PlugX backdoor. Two of the scenarios deliver a payload carrying a simple shell, while the other two carry a more complex set of malware that can install and execute the payload and collect data on the target. Combinations from both sets were used in the same attacks.

The malware also looks for a running process name starting with AAM, probably because earlier PlugX side-loading scenarios used the file name AAM Updates.exe. If the malware finds this file, it kills and deletes it. This suggests the KilllSomeOne backdoor was designed to remove earlier PlugX infections, either because the original attackers wanted to push out new code or because the attacks were implemented by a different group leveraging existing infrastructure.

The KilllSomeOne malware code includes several strings of plain text. The samples Sophos analyzed were written in poor English and with clear political messages. According to Sophos, it is unusual to find these types of political messages in what appears to be a nation-state threat, and it could mean less professional cybercriminals are involved or the attackers inserted the messages to misdirect security researchers.

This is an intriguing new discovery and a good reminder that the operators behind advanced targeted attacks rarely are a homogeneous pool or even see themselves as a single entity. Individual contributors come with very different skill sets and capabilities. Some of them are highly adept, while others are little more than your average cybercriminal, said Gabor Szappanos, threat research director, Sophos. The group responsible for the KilllSomeOne attacks doesnt fall clearly at either end of the spectrum. For instance, the perpetrators opted for fairly simple implementations in codingespecially in encrypting the payloadand the messages hidden in their samples are what youd expect from script kiddies. On the other hand, the targeting and deployment is that of a serious APT group. Its not clear from our analysis whether this group will eventually return to more traditional implants like PlugX or keep going with its own code.

Further information on KilllSomeOne can be found on SophosLabs Uncut whereSophos experts regularly publish their latest research and breakthrough findings. Threat researchers and IT managers can follow SophosLabs Uncut in real time on Twitter at @SophosLabs.

Human-led threat hunting and response help to identify and mitigate new and unknown threats. At Sophos, these experts are available through Sophos Managed Threat Response and Sophos Rapid Response services.

Additional Resources.

About SophosAs a worldwide leader in next-generation cybersecurity, Sophos protects more than 400,000 organizations of all sizes in more than 150 countries from todays most advanced cyber threats. Powered by SophosLabs a global threat intelligence and data science team Sophos cloud-native and AI-powered solutions secure endpoints (laptops, servers and mobile devices) and networks against evolving cyberattack techniques, including ransomware, malware, exploits, data exfiltration, active-adversary breaches, phishing, and more. Sophos Central, a cloud-native management platform, integrates Sophos entire portfolio of next-generation products, including the Intercept X endpoint solution and the XG next-generation firewall, into a single synchronized security system accessible through a set of APIs. Sophos has been driving a transition to next-generation cybersecurity, leveraging advanced capabilities in cloud, machine learning, APIs, automation, managed threat response, and more, to deliver enterprise-grade protection to any size organization. Sophos sells its products and services exclusively through a global channel of more than 53,000 partners and managed service providers (MSPs). Sophos also makes its innovative commercial technologies available to consumers via Sophos Home. The company is headquartered in Oxford, U.K. More information is available at http://www.sophos.com.

See the original post:
Sophos Uncovers Attackers Targeting Non-Governmental Organizations in Myanmar With New 'KilllSomeOne' Backdoor - GlobeNewswire

Related Posts
Posted in Cloud Servers

Comments are closed.