A wave of assaults that began in July 2024 depend on a much less widespread method known as AppDomain Supervisor Injection, which might weaponize any Microsoft .NET utility on Home windows.
The method has been round since 2017, and a number of proof-of-concept apps have been launched through the years. Nonetheless, it’s usually utilized in pink crew engagements and seldomly noticed in malicious assaults, with defenders not actively monitoring it.
The Japanese division of NTT has tracked assaults that finish with deploying a CobaltStrike beacon that focused authorities businesses in Taiwan, the army within the Philippines, and vitality organizations in Vietnam.
Ways, methods, and procedures, and infrastructural overlaps with current AhnLab reviews and different sources, counsel that the Chinese language state-sponsored risk group APT 41 is behind the assaults, though this attribution has low confidence.
AppDomain Supervisor Injection
Much like normal DLL side-loading, AppDomainManager Injection additionally entails the usage of DLL recordsdata to attain malicious objectives on breached programs.
Nonetheless, AppDomainManager Injection leverages .NET Framework’s AppDomainManager class to inject and execute malicious code, making it stealthier and extra versatile.
The attacker prepares a malicious DLL that incorporates a category inheriting from the AppDomainManager class and a configuration file (exe.config) that redirects the loading of a respectable meeting to the malicious DLL.
The attacker solely wants to position the malicious DLL and config file in the identical listing because the goal executable, with no need to match the identify of an present DLL, like in DLL side-loading.
When the .NET utility runs, the malicious DLL is loaded, and its code is executed inside the context of the respectable utility.
In contrast to DLL side-loading, which could be extra simply detected by safety software program, AppDomainManager injection is more durable to detect as a result of the malicious conduct seems to return from a respectable, signed executable file.
GrimResource assaults
The assaults NTT noticed begin with the supply of a ZIP archive to the goal that incorporates a malicious MSC (Microsoft Script Element) file.
When the goal opens the file, malicious code is executed instantly with out additional person interplay or clicks, utilizing a method known as GrimResource, described intimately by Elastic’s safety crew in June.
GrimResource is a novel assault method that exploits a cross-site scripting (XSS) vulnerability within the apds.dll library of Home windows to execute arbitrary code by way of Microsoft Administration Console (MMC) utilizing specifically crafted MSC recordsdata.
The method permits attackers to execute malicious JavaScript, which in flip can run .NET code utilizing the DotNetToJScript methodology.
The MSC file within the newest assaults seen by NTT creates an exe.config file in the identical listing as a respectable, signed Microsoft executable file (e.g. oncesvc.exe).
This configuration file redirects the loading of sure assemblies to a malicious DLL, which incorporates a category inheriting from the .NET Framework’s AppDomainManager class and is loaded as a substitute of the respectable meeting.
Finally, this DLL executes malicious code inside the context of the respectable and signed Microsoft executable, fully evading detection and bypassing safety measures.
Supply: NTT
The ultimate stage of the assault is loading a CobaltStrike beacon on the machine, which the attacker could use to carry out a broad vary of malicious actions, together with introducing extra payloads and lateral motion.
Though it isn’t sure that APT41 is accountable for the assaults, the mix of the AppDomainManager Injection and GrimResource methods signifies that the attackers have the technical experience to combine novel and less-known methods in sensible instances.
