Malware

Advanced Cyber Threat Exploits DLL Side Loading with Yokai Backdoor

Cybersec Sentinel

Dec 17, 2024 • 3 min read

Threat Group: Unspecified Threat Actor
Threat Type: Backdoor Malware
Exploited Vulnerabilities: DLL Side-Loading
Malware Used: Yokai Backdoor
Threat Score: High (8.5/10) – Due to its targeted approach against government officials, sophisticated delivery mechanisms, and potential for significant data exfiltration.
Last Threat Observation: December 16, 2024

Overview

A recent cyber-espionage campaign has been identified targeting Thai government officials through the deployment of a previously undocumented backdoor named "Yokai." The attack leverages DLL side-loading techniques to execute malicious payloads under the guise of legitimate applications. The campaign was first reported on December 14, 2024.

This attack demonstrates a highly targeted approach, focusing on high-value individuals within government sectors. By exploiting spear-phishing tactics, the attackers successfully delivered malware using deceptive file names and decoy documents. The operation highlights the persistent threat posed by advanced cyber-espionage campaigns.

Key Details

Delivery Method: Spear-phishing emails containing RAR archives with malicious shortcut files designed to appear as important legal or governmental documents.

Target: Thai government officials, particularly those involved in sensitive administrative or diplomatic functions.

Functions:

Persistence: Creates registry entries and scheduled tasks to maintain long-term access.
Command Execution: Executes system commands through cmd.exe, enabling the attacker to manipulate the infected machine remotely.
Data Exfiltration: Steals sensitive files and sends them to the command-and-control (C2) server.
Network Scanning: Performs reconnaissance on the internal network to identify additional targets.
Credential Harvesting: Extracts login credentials from browser stores and system memory.

Obfuscation Techniques:

DLL Side-Loading: Exploits legitimate software to execute malicious DLLs.
File Name Impersonation: Uses file names and icons resembling trusted governmental or legal documents to reduce suspicion.
Decoy Documents: Opens harmless-looking documents while deploying malicious payloads in the background.

Attack Vectors

The attack sequence begins with carefully crafted spear-phishing emails targeting Thai government officials. These emails contain RAR archives embedded with Windows shortcut (.LNK) files, disguised as legitimate legal or government-related documents. The file names are written in Thai to enhance credibility and avoid raising suspicion.

Upon extraction and execution of the LNK files, the attackers employ a dual-stage approach:

Decoy Document Display: As a diversion, authentic-looking PDF and DOCX files named "United States Department of Justice.pdf" and "United States government requests international cooperation in criminal matters.docx" are opened to trick the victim into believing they accessed legitimate documents.
Malware Deployment: Concurrently, the shortcut files execute a dropper, deploying the Yokai backdoor through DLL side-loading. The dropper abuses the iTop Data Recovery application to load malicious DLL files into memory, ensuring stealthy malware execution.

The backdoor establishes persistence, connects to its C2 infrastructure, and begins exfiltrating sensitive information while enabling full remote access for the threat actors. This sophisticated chain of execution makes detection challenging, highlighting the advanced capabilities of the attackers.

Known Indicators of Compromise (IoCs)

FileHash-MD5
0d93920a08c304bf7fd04561f924cfbb

FileHash-SHA1
6948f5b140b12fbfdd540b43f2961c564e937f06

FileHash-SHA256
1626ce79f2b96c126cbdb00195dd8509353e8754b1a0ce88d359fa890acd6676 24509eb64a11f7e21feeb667b1d70520b1b1db8345d0e6502b657d416ef81a4d 248c50331f375e7e73f010e4158ec2db8835a4373da2687ab75e8a73fde795f0 2852223eb40cf0dae4111be28ce37ce9af23e5332fb78b47c8f5568d497d2611 3e5cfe768817da9a78b63efad9e60d2d300727a97476edf87be088fb26f06500 452be2f9018f1ef2d74c935eac391ecdceff9a12cb950441f4f4e26b2b050fa1 90f4364705f19929d5cc0dafc44946768e39e81338715503dbc923b75c6edfd5 c74f67bb13a79ae8c111095f18b57a10e63d9f8bfbffec8859c61360083ce43e c7746e0031fba26ca6a8ecc3cee9e3dd50507fe2c1136356f852e068e1f943d0 eaae6d5dbf40239fb5abfa2918286f4039a3a0fcd28276a41281957f6d850456 f361f5ec213b861dc4a76eb2835d70e6739321539ad216ea5dc416c1dc026528

IPv4
122[.]155[.]28[.]155 154[.]90[.]47[.]77 49[.]231[.]18[.]150

URL
hxxp://191[.]police[.]go[.]th:443/Assessment/Report/PDF/default[.]php hxxp://191[.]police[.]go[.]th:443/api/index[.]php hxxp://49[.]231[.]18[.]150:80/research/files/index[.]php hxxp://m-society[.]dpis[.]go[.]th:443/default[.]php

Hostname
191[.]police[.]go[.]th m-society[.]dpis[.]go[.]th

Mitigation and Prevention

User Awareness: Conduct training to recognize spear-phishing attempts and avoid opening unsolicited attachments.
Email Filtering: Implement advanced email filtering to detect and block malicious attachments and links.
Antivirus Protection: Ensure antivirus solutions are updated to detect and quarantine the Yokai backdoor and associated malicious files.
Two-Factor Authentication (2FA): Enforce 2FA to add an additional layer of security against unauthorized access.
Monitor Logs: Regularly review system and network logs for unusual activities indicative of compromise.
Regular Updates: Keep all software and systems updated to mitigate vulnerabilities exploited by DLL side-loading techniques.

Risk Assessment

The Yokai backdoor poses a significant threat due to its targeted nature against government officials, the sophistication of its delivery through DLL side-loading, and its capabilities to execute arbitrary commands, potentially leading to severe data breaches and espionage activities.

Conclusion

Organizations, particularly within governmental sectors, should remain vigilant against spear-phishing campaigns and implement robust security measures to detect and prevent malware like the Yokai backdoor. Regular training, system updates, and comprehensive monitoring are essential to safeguard against such sophisticated threats.

Sources

The Hacker News - Thai Officials Targeted in Yokai Backdoor Campaign Using DLL Side-Loading Techniques
Netskope - New Yokai Side-loaded Backdoor Targets Thai Officials
AlienVault - Indicators of Compromise