Analysis Summary

Thai government personnel are the focus of a recent campaign that uses a method known as DLL side-loading to introduce Yokai, an unreported backdoor. Based on the nature of the lures, Thailand authorities were the threat actors' objective. The Yokai backdoor itself has no restrictions and can be applied to any possible target.

The attack chain begins with a RAR file that contains two Windows shortcut files called "United States Department of Justice.pdf" and "United States government requests international cooperation in criminal matters.docx" which are labeled in Thai. Although researchers hypothesized that it would probably be spear-phishing given the lures used and the knowledge that RAR files have been used as malicious attachments in phishing emails, the precise initial vector utilized to deliver the payload is presently unknown.

When the shortcut files are launched, a malicious executable is covertly dropped in the background and a fake PDF and Microsoft Word document are opened, respectively. Woravit Mektrakarn, a Thai national, is wanted in the United States concerning the disappearance of a Mexican immigrant, and both lure files deal with him. Mektrakarn allegedly fled to Thailand after being charged with murder in 2003.

For its part, the executable is made to drop three other files: a malicious DLL ("ProductStatistics3.dll"), a DATA file that contains data supplied by a server under the control of an attacker, and a genuine binary linked to the iTop Data Recovery tool ("IdrInit.exe"). The backdoor is eventually deployed after "IdrInit.exe" is misused to sideload the DLL in the next step. To receive command codes that enable it to launch cmd.exe and run shell commands on the host, Yokai must first establish persistence on the host and establish a connection with the command-and-control (C2) server.

This comes as researchers found a malware campaign that used Windows executables written with Node.js to spread Bitcoin miners and data thieves like XMRig, Lumma, and Phemedrone Stealer. The codename for the malicious apps is NodeLoader. Malicious URLs that are placed in YouTube video descriptions are used in the assaults to direct visitors to MediaFire or fraudulent websites that request that they download a ZIP file that appears to contain video game hacks. Ultimately, the attacks aim to extract and execute NodeLoader, which downloads a PowerShell script that launches the last stage of infection.

For privilege escalation, NodeLoader makes use of a module named sudo-prompt, which is a freely accessible tool on GitHub and npm. To deliver NodeLoader covertly, the threat actors use anti-evasion and social engineering strategies. Additionally, it coincides with an increase in phishing attacks that disseminate the commercially available Remcos RAT. Threat actors modify the infection chains by using Office Open XML documents and Visual Basic Script (VBS) scripts as a starting point to initiate the multi-step process.

Impact

• Unauthorized Access
• Code Execution
• Information Theft

Indicators of Compromise

IP

• 154.90.47.77

MD5

• a944e263baef43c482e33b7eaff84a4f
• 025e03797d3ccfc548accded09a1f93d
• c3886f5904c0ff21d49433fd1fa05655
• 4b1e6b39e13bf7c665e4ed51f4e49411
• 596645fd383ee909024f9e742bc71bf5
• 70c79d162bc8d094f721c430b7a768b2
• 47a2679a34763a2fc22dd3b55628fc91
• f36371db03d12b389c74b3f92a3e4af8

SHA-256

• 248c50331f375e7e73f010e4158ec2db8835a4373da2687ab75e8a73fde795f0
• c74f67bb13a79ae8c111095f18b57a10e63d9f8bfbffec8859c61360083ce43e
• 24509eb64a11f7e21feeb667b1d70520b1b1db8345d0e6502b657d416ef81a4d
• f361f5ec213b861dc4a76eb2835d70e6739321539ad216ea5dc416c1dc026528
• eaae6d5dbf40239fb5abfa2918286f4039a3a0fcd28276a41281957f6d850456
• 3e5cfe768817da9a78b63efad9e60d2d300727a97476edf87be088fb26f06500
• 1626ce79f2b96c126cbdb00195dd8509353e8754b1a0ce88d359fa890acd6676
• 2852223eb40cf0dae4111be28ce37ce9af23e5332fb78b47c8f5568d497d2611

SHA1

• a472eded72eabc52792a51187062ee021c32b3c9
• 4da70f14a0e0ea6054a42eb7d43f6cd59f09a72e
• 6065c56dcf34de1568cec41450c798fe32395f31
• 2b58537f6039444ca4920245a2854f4368c9ded5
• 94e8e815315dcd439395c718658fc87f750be2aa
• 47b1a8b12e46af207fc67ea8ca4f5ed7847ee7bf
• ac050f6c8924fc3094145d77e40596e5f34a7b6f
• 57d28f7f4859853a9fc42bdcfc2b0d2d7341443a

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Ensure that all software, particularly those from third-party vendors, are obtained from trusted sources and that updates are obtained from the vendor’s official website or app store.
• Conduct regular security assessments and audits of all software, especially those that handle sensitive data, to detect any suspicious activities.
• Implement multi-factor authentication and strong password policies to prevent unauthorized access to sensitive systems and data.
• Train employees on best practices for identifying and reporting suspicious activities, such as phishing emails or unusual network traffic.
• Deploy endpoint protection solutions with advanced threat detection capabilities to identify and block any malicious activities.
• Implement network segmentation and access controls to limit the spread of malware in case of a successful attack.
• Monitor network traffic and system logs to detect any unusual or suspicious activities, such as unauthorized file transfers or unusual process execution.
• Develop an incident response plan that outlines the steps to be taken in case of a successful attack, including how to isolate and contain the affected systems and how to communicate with stakeholders, such as customers and regulatory bodies.