A wave of assaults that began in July 2024 depend on a much less frequent approach known as AppDomain Supervisor Injection, which might weaponize any Microsoft .NET utility on Home windows.
The approach has been round since 2017, and a number of proof-of-concept apps have been launched through the years. Nevertheless, it’s usually utilized in crimson crew engagements and seldomly noticed in malicious assaults, with defenders not actively monitoring it.
The Japanese division of NTT has tracked assaults that finish with deploying a CobaltStrike beacon that focused authorities companies in Taiwan, the army within the Philippines, and vitality organizations in Vietnam.
Techniques, strategies, and procedures, and infrastructural overlaps with current AhnLab studies and different sources, counsel that the Chinese language state-sponsored risk group APT 41 is behind the assaults, though this attribution has low confidence.
AppDomain Supervisor Injection
Much like normal DLL side-loading, AppDomainManager Injection additionally entails the usage of DLL information to attain malicious objectives on breached programs.
Nevertheless, AppDomainManager Injection leverages .NET Framework’s AppDomainManager class to inject and execute malicious code, making it stealthier and extra versatile.
The attacker prepares a malicious DLL that incorporates a category inheriting from the AppDomainManager class and a configuration file (exe.config) that redirects the loading of a authentic meeting to the malicious DLL.
The attacker solely wants to put the malicious DLL and config file in the identical listing because the goal executable, without having to match the title of an present DLL, like in DLL side-loading.
When the .NET utility runs, the malicious DLL is loaded, and its code is executed inside the context of the authentic utility.
In contrast to DLL side-loading, which could be extra simply detected by safety software program, AppDomainManager injection is more durable to detect as a result of the malicious conduct seems to return from a authentic, signed executable file.
GrimResource assaults
The assaults NTT noticed begin with the supply of a ZIP archive to the goal that incorporates a malicious MSC (Microsoft Script Part) file.
When the goal opens the file, malicious code is executed instantly with out additional person interplay or clicks, utilizing a method known as GrimResource, described intimately by Elastic’s safety crew in June.
GrimResource is a novel assault approach that exploits a cross-site scripting (XSS) vulnerability within the apds.dll library of Home windows to execute arbitrary code by Microsoft Administration Console (MMC) utilizing specifically crafted MSC information.
The approach permits attackers to execute malicious JavaScript, which in flip can run .NET code utilizing the DotNetToJScript methodology.
The MSC file within the newest assaults seen by NTT creates an exe.config file in the identical listing as a authentic, signed Microsoft executable file (e.g. oncesvc.exe).
This configuration file redirects the loading of sure assemblies to a malicious DLL, which incorporates a category inheriting from the .NET Framework’s AppDomainManager class and is loaded as an alternative of the authentic meeting.
Finally, this DLL executes malicious code inside the context of the authentic and signed Microsoft executable, fully evading detection and bypassing safety measures.
Supply: NTT
The ultimate stage of the assault is loading a CobaltStrike beacon on the machine, which the attacker could use to carry out a broad vary of malicious actions, together with introducing extra payloads and lateral motion.
Though it isn’t sure that APT41 is liable for the assaults, the mixture of the AppDomainManager Injection and GrimResource strategies signifies that the attackers have the technical experience to combine novel and less-known strategies in sensible circumstances.
