| Category | Details |
|---|---|
| Threat Actors | APT41, threat actors using DLL side-loading, Yokai backdoor developers. |
| Campaign Overview | Discovery of Yokai backdoor through DLL side-loading, exploiting legitimate software vulnerabilities to deploy malicious payloads. |
| Target Regions (Victims) | Users with iTop Data Recovery application, primarily targeting Windows systems, system users, and corporate networks. |
| Methodology | DLL side-loading, alternate data stream (ADS) exploitation, command and control (C2) communication, encryption, and data exfiltration. |
| Product Targeted | iTop Data Recovery application, Windows operating system components (file.exe, ProductStatistics3.dll). |
| Malware Reference | Yokai backdoor embedded in ProductStatistics3.dll, encrypted communication with C2 servers. |
| Tools Used | - esentutl (Windows binary for data copying) - Alternate Data Streams (ADS) - Encryption routines (XOR operations) |
| Vulnerabilities Exploited | DLL side-loading, unverified data streams, insecure build interactions, weak checksum encryption mechanisms, outdated legitimate applications. |
| TTPs | - DLL side-loading for backdoor deployment - Use of alternate data streams (ADS) - C2 communication encryption - Continuous process spawning |
| Attribution | APT41, threat developers exploiting legitimate Windows tools and libraries, communication routed through C2 servers hosted on IP addresses. |
| Recommendations | - Patch and update iTop Data Recovery software - Deploy monitoring tools to detect DLL side-loading behavior - Improve checksum validation mechanisms. |
| Source | Netskope |
Read full article: https://www.netskope.com/blog/new-yokai-side-loaded-backdoor-targets-thai-officials
The above summary has been generated by an AI language model
Leave a Reply