Attackers targeting non-governmental organizations in Myanmar with new ‘KilllSomeOne’ backdoor
Operators used four different DLL side-loading scenarios to install and execute new malware after removing a resident PlugX Backdoor
Sophos uncovered attackers using DLL side-loading to execute malicious code and install backdoors in the networks of targeted organizations. A report published, “A New APT uses DLL Side-loads to Killl Someone,” outlines the discovery of four different DLL side-loading scenarios, which all share the same program database path and some of which carry a file named “KilllSomeOne.” The targeting of these attacks — against non-governmental organizations and other organizations in Myanmar — and other characteristics of the malware suggest that the attackers involved may be a Chinese APT group.
The attackers have implemented a spin on the side-loading methods often associated with Chinese threat actors and used in the well known PlugX backdoor. Two of the scenarios deliver a payload carrying a simple shell, while the other two carry a more complex set of malware that can install and execute the payload and collect data on the target. Combinations from both sets were used in the same attacks.