Hunting for Unsigned DLLs to Find APTs
Contents
This post is also available in: 日本語 (Japanese)
Executive Summary
Malware authors regularly evolve their techniques to evade detection and execute more sophisticated attacks. We’ve commonly observed one method over the past few years: unsigned DLL loading.
Assuming that this method might be used by advanced persistent threats (APTs), we hunted for it. The hunt revealed sophisticated payloads and APT groups in the wild, including the Chinese cyberespionage group Stately Taurus (formerly known as PKPLUG, aka Mustang Panda) and the North Korean Selective Pisces (aka Lazarus Group).
Below, we show how hunting for the loading of unsigned DLLs can help you identify attacks and threat actors in your environment.
Palo Alto Networks customers receive protections and detections against malicious DLL loading through the Cortex XDR agent.
|Threat Actor Groups Discussed|
|Unit 42 tracks group as…||Group also known as…|
|Stately Taurus||Mustang Panda, PKPLUG, BRONZE PRESIDENT, HoneyMyte, Red Lich, Baijiu|
|Selective Pisces||Lazarus Group, ZINC, APT - C - 26|
Table of Contents
Malicious …
Executive Summary
Malware authors regularly evolve their techniques to evade detection and execute more sophisticated attacks. We’ve commonly observed one method over the past few years: unsigned DLL loading.
Assuming that this method might be used by advanced persistent threats (APTs), we hunted for it. The hunt revealed sophisticated payloads and APT groups in the wild, including the Chinese cyberespionage group Stately Taurus (formerly known as PKPLUG, aka Mustang Panda) and the North Korean Selective Pisces (aka Lazarus Group).
Below, we show how hunting for the loading of unsigned DLLs can help you identify attacks and threat actors in your environment.
Palo Alto Networks customers receive protections and detections against malicious DLL loading through the Cortex XDR agent.
|Threat Actor Groups Discussed|
|Unit 42 tracks group as…||Group also known as…|
|Stately Taurus||Mustang Panda, PKPLUG, BRONZE PRESIDENT, HoneyMyte, Red Lich, Baijiu|
|Selective Pisces||Lazarus Group, ZINC, APT - C - 26|
Table of Contents
Malicious …
IoC
06f11ea2d7d566e33ed414993da00ac205793af6851a2d6f809ff845a2b39f57
18cc18d02742da3fa88fc8c45fe915d58abb52d3183b270c0f84ae5ff68cf8a2
202dab603585f600dbd884cb5bd5bf010d66cab9133b323c50b050cc1d6a1795
3131985fa7394fa9dbd9c9b26e15ac478a438a57617f1567dc32c35b388c2f60
32449fd81cc4f85213ed791478ec941075ff95bb544ba64fa08550dd8af77b69
352fb4985fdd150d251ff9e20ca14023eab4f2888e481cbd8370c4ed40cfbb9a
5a8b1f003ae566a8e443623a18c1f1027ec46463c5c5b413c48d91ca1181dbf7
5bb4950a05a46f7d377a3a8483484222a8ff59eafdf34460c4b1186984354cf9
5be717dc9eda4df099e090f2a59c25372d6775e7d6551b21f385cf372247c2fd
6491c646397025bf02709f1bd3025f1622abdc89b550ac38ce6fac938353b954
779a6772d4d35e1b0018a03b75cc6f992d79511321def35956f485debedf1493
79b7964bde948b70a7c3869d34fe5d5205e6259d77d9ac7451727d68a751aa7d
7aa62af5a55022fd89b3f0c025ea508128a03aab5bc7f92787b30a3e9bc5c6e4
9973045c0489a0382db84aef6356414ef29814334ecbf6639f55c3bec4f8738f
9fad2f59737721c26fc2a125e18dd67b92493a1220a8bbda91e073c0441437a9
cf9ccba037f807c5be523528ed25cee7fbe4733ec19189e393d17f92e76ffccc
d9b1ad70c0a043d034f8eecd55a8290160227ea66780ccc65d0ffb2ebc2fb787
e8f55d0f327fd1d5f26428b890ef7fe878e135d494acda24ef01c695a2e9136d
f9e4627733e034cfc1c589afd2f6558a158a349290c9ea772d338c38d5a02f0e
18cc18d02742da3fa88fc8c45fe915d58abb52d3183b270c0f84ae5ff68cf8a2
202dab603585f600dbd884cb5bd5bf010d66cab9133b323c50b050cc1d6a1795
3131985fa7394fa9dbd9c9b26e15ac478a438a57617f1567dc32c35b388c2f60
32449fd81cc4f85213ed791478ec941075ff95bb544ba64fa08550dd8af77b69
352fb4985fdd150d251ff9e20ca14023eab4f2888e481cbd8370c4ed40cfbb9a
5a8b1f003ae566a8e443623a18c1f1027ec46463c5c5b413c48d91ca1181dbf7
5bb4950a05a46f7d377a3a8483484222a8ff59eafdf34460c4b1186984354cf9
5be717dc9eda4df099e090f2a59c25372d6775e7d6551b21f385cf372247c2fd
6491c646397025bf02709f1bd3025f1622abdc89b550ac38ce6fac938353b954
779a6772d4d35e1b0018a03b75cc6f992d79511321def35956f485debedf1493
79b7964bde948b70a7c3869d34fe5d5205e6259d77d9ac7451727d68a751aa7d
7aa62af5a55022fd89b3f0c025ea508128a03aab5bc7f92787b30a3e9bc5c6e4
9973045c0489a0382db84aef6356414ef29814334ecbf6639f55c3bec4f8738f
9fad2f59737721c26fc2a125e18dd67b92493a1220a8bbda91e073c0441437a9
cf9ccba037f807c5be523528ed25cee7fbe4733ec19189e393d17f92e76ffccc
d9b1ad70c0a043d034f8eecd55a8290160227ea66780ccc65d0ffb2ebc2fb787
e8f55d0f327fd1d5f26428b890ef7fe878e135d494acda24ef01c695a2e9136d
f9e4627733e034cfc1c589afd2f6558a158a349290c9ea772d338c38d5a02f0e