New Yokai Side-loaded Backdoor Targets Thai Officials

Guest
APT
December 13, 2024

Category	Details
Threat Actors	APT41, threat actors using DLL side-loading, Yokai backdoor developers.
Campaign Overview	Discovery of Yokai backdoor through DLL side-loading, exploiting legitimate software vulnerabilities to deploy malicious payloads.
Target Regions (Victims)	Users with iTop Data Recovery application, primarily targeting Windows systems, system users, and corporate networks.
Methodology	DLL side-loading, alternate data stream (ADS) exploitation, command and control (C2) communication, encryption, and data exfiltration.
Product Targeted	iTop Data Recovery application, Windows operating system components (file.exe, ProductStatistics3.dll).
Malware Reference	Yokai backdoor embedded in ProductStatistics3.dll, encrypted communication with C2 servers.
Tools Used	– esentutl (Windows binary for data copying) – Alternate Data Streams (ADS) – Encryption routines (XOR operations)
Vulnerabilities Exploited	DLL side-loading, unverified data streams, insecure build interactions, weak checksum encryption mechanisms, outdated legitimate applications.
TTPs	– DLL side-loading for backdoor deployment – Use of alternate data streams (ADS) – C2 communication encryption – Continuous process spawning
Attribution	APT41, threat developers exploiting legitimate Windows tools and libraries, communication routed through C2 servers hosted on IP addresses.
Recommendations	– Patch and update iTop Data Recovery software – Deploy monitoring tools to detect DLL side-loading behavior – Improve checksum validation mechanisms.
Source	Netskope

Read full article: https://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials

The above summary has been generated by an AI language model

Source: Netskope

Published on: December 13, 2024

Leave a Reply Cancel reply