This blog post comes from the Rugmi Loader Technical Analysis report. If you want to read more details, download it as a PDFclick here
Summary
This report aims to provide a comprehensive technical analysis of Rugmi Loader. Through this analysis, we aim to provide valuable insights into how it functions, ultimately contributing to the enhancement of cybersecurity measures against these sophisticated threats.
The latest DLL hijacking technique utilizes phishing to distribute an executable that appears legitimate, accompanied by a .png file containing configuration data and DLLs with various purposes. The decrypted configuration data, facilitated by the DLL, then triggers the loading of multiple DLLs onto the system. Additionally, as an evasion tactic, direct system calls are observed, along with the use of the Heaven’s Gate technique. The malicious DLL is injected into seemingly legitimate programs such as cmd.exe, paving the way for the final payload—stealer types—to manifest malicious activity within the system via explorer.exe.
Scope
| Filename | Bur_Oil_Company.zip |
| Filetype | ZIP |
| Written Language | – |
| MD5 | 7981e2f467362b08d22fad773e24df3b |
| SHA1 | 3cd4952c6b2c192a41f7f625d9b94d27a869858e |
| SHA256 | 3ccf4a79e6dc06def1c928e1378a9ea64274089d0d6c4da758d0c9acab20324e |
| First Seen / Detection Date | 2023-10-11 |
| Initial Infection Vector | Phishing Mail |
| Filename | Bur_Oil_Company.exe |
| Filetype | Win64 EXE |
| Written Language | C/C++ |
| MD5 | 64e3c6d6a396836e3c57b81e4c7c8f3b |
| SHA1 | f689e6995c85817193282163a18ec917c5f8d5c2 |
| SHA256 | f2b4ca304f3d9d3305ae595e19906c545601f8c9e215a9b598036e89155daf85 |
| First Seen / Detection Date | 2023-10-11 |
| Initial Infection Vector | Phishing Mail |
| Filename | mozglue.dll |
| Filetype | Win32 DLL |
| Written Language | C/C++ |
| MD5 | 9f827d15fe257543fa8c8c42c33e389a |
| SHA1 | 76ab3458d75986bd1be148a5ca2d22318622b7c5 |
| SHA256 | 7f8f310241aa93dee7b4c0e97c1d30b8e50e96ffec619288de13f25d2ca555c7 |
| First Seen / Detection Date | 2023-10-11 |
| Initial Infection Vector | Phishing Mail |
T
Infection Chain
MITRE ATTA&CK Threat Matrix
- TA001 Initial Access
- T1566 Phishing
- TA002 Execution
- T1204 User Execution
- T1204.002 Malicious File
- T1106 Native API
- T1204 User Execution
- TA005 Defense Evasion
- T1140 Deobfuscate/Decode Files or Information
- T1036 Masquerading
- T1055 Process Injection
Mitigation Strategies
- Configure systems to use secure DLL search paths, reducing the risk of DLL search order hijacking. This can involve specifying the full path for loading DLLs.
- Keep operating systems, applications, and security software up to date with the latest patches and updates.
- Employ advanced email filtering solutions to identify and block phishing emails.
- Participate in threat intelligence-sharing communities to stay informed about emerging phishing threats.
This blog post comes from the Rugmi Loader Technical Analysis report. If you want to read more details, download it as a PDFclick here
