In one of  our recent IR case, we found Phobos ransomware being executed using DLL sideloading technique. The threat actors (TA) used a legitimate signed binary WiseTurbo.exe from Lespeed Technology Co., Ltd to perform sideloading of NlogExt.dll. WiseTurbo.exe imports sqlite3.dll, the TA modified the sqlite3.dll’s import table to include an entry for NlogExt.dll with single export function NlogGetInterface.

Thus the initial installer when executed, unpacks all the files onto %TEMP%\Tech tool store\, and executes WiseTurbo.exe, thus loading sqlite3.dll which in turn loads NlogExt.dll in memory and executes the DLLMain. NlogExt.dll on loading, reads the file “CM” which is present in the same directory and contains a shellcode, onto memory. The shellcode eventually leads to the decoding of a PE file in memory and transfers the execution to its Entry point. The PE file allocates a new heap area and unpacks the final Phobos ransomware in memory and executes it. Detailed analysis is given below.

Analysis

 MD5: AAA058858261D7C0E73FA1B8264A9A3D (setup.exe)

Setup.exe (file recovered from the victim machine) is an installer file, which on execution, unpacks all the files into %TEMP%\Tech tool store\ along with shellcode file “CM”, modified sqlite3.dll, NlogExt.dll and Wiseturbo.exe which is the signed binary from Lespeed Technology Co., Ltd., along with other files which are clean.

Figure 1: Files dropped on executing setup.exe

The image below shows the difference between modified and original sqlite3.dll. The TA have modified the import section to load NlogExt.dll.

Figure 2: Import table diff between original and modified sqlite3.dll

Once all the files have been unpacked, wiseturbo.exe is executed. Since wiseturbo.exe imports from sqlite3.dll it loads it from the unpacked directory, further now that modified sqlite3.dll is loaded, it loads the DLL NlogExt.dll in memory, thus executing the DLLMain of NlogExt.dll. 

Figure 3: NlogExt.dll observed loading after sqlite3.dll in Procmon

In the DLLMain, a new thread is created to execute the export function NlogGetInterface, it reads the file “CM” from the current directory and maps it into memory. The ‘CM’ file contains a shellcode and an encrypted PE file. The base at which the dll is mapped is saved at offset 0x4b08b from the start of mapped memory. Next it creates a new heap memory to copy just  the shellcode which is present at offset 0x4a697 of size 0xA3C bytes. The execution is transferred to shellcode by abusing the windows callback feature, the malware calls EnumWindowsStationsW with a pointer to shellcode as first argument. 

Figure 4: Executing shellcode using callback function

The shellcode copies an encoded PE from the CM File from offset 0x4be9c and decodes it in memory, which is the Phobos crypter.  

Figure 5: Phobos crypter PE decoded in memory

Once the PE file is decoded, the shellcode maps it section by section into the memory and transfers the execution to its Entrypoint.

Figure 6: Execution transfer from shellcode to decode PE

Once the execution is transferred to the Phobos crypter, we can dump the final payload by setting a breakpoint on VirtualAlloc and VirtualProtect.  As shown in Figure 7, there are 3 calls made to decrypt the final PE file completely into our memory, Memory protection constants are modified accordingly and execution is transferred to the final Phobos Ransomware. The encrypted files were tagged with the extension ‘.devos’.

Figure 7: Crypter decrypting Phobos ransomware in memory

We at K7 Labs provide detection against latest threats and also for this Phobos Ransomware. Users are advised to use a reliable security product such as “K7 Total Security” and keep it up-to-date so as to safeguard their devices.

IoCs


File Name

Hash

Detection Name

Installer (setup.exe)

AAA058858261D7C0E73FA1B8264A9A3D

Riskware ( 00584baa1 )

Shellcode Loader     (NlogExt.dll)

1A75878DEA8F5580C25E0B9F1C734949

Trojan ( 0059e68e1 )

Phobos Crypter

25674F5426C59051960F0D00F06F0B77

Riskware ( 0040eff71 )

Phobos Ransomware

9DE437C0A1F9E633186F5F631D32AF8A

Trojan ( 0001140e1 )

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Phobos Ransomware found to be using DLL Side Loading”