Summary
DLL side-loading is a popular technique used by threat actors to execute malicious payloads under the umbrella of a benign, usually legitimate, executable. This allows the threat actor to exploit whitelists in security products that exclude trusted executables from detection. Among others, this technique has been leveraged by APT41 to deploy DUSTTRAP and Daggerfly to deliver Nightdoor backdoor.
During threat hunting activities, the Netskope team discovered a legitimate iTop Data Recovery application side-loading a backdoor we named Yokai that, to the best of our knowledge, has not been publicly documented yet. In this blog we will analyze the infection chain and dive deep into the internals of the Yokai backdoor.
Decoy documents
During our threat hunting activities, we discovered a RAR file that contained two LNK shortcut files named in Thai, named กระทรวงยุติธรรมสหรัฐอเมริกา.pdf and ด่วนที่สุด ทางการสหรัฐอเมริกาขอความร่วมมือระหว่างประเทศในเรื่องทางอาญา.docx. Translated, both documents are called “United States Department of Justice.pdf” and “Urgently, United States authorities ask for international cooperation in criminal matters.docx” respectively.
Clicking the shortcut files triggers the copying of content from an alternate data stream (ADS) named “file.exf” into decoy PDF and Word documents using esentutl.Esentutl is a Windows binary commonly abused to transfer malicious payload from alternate data streams.
After the copying is complete, the shortcut files open the decoy documents, giving the impression that their sole purpose is to display harmless content.
Dropper emerges from an alternate data stream
The shortcut file with a DOCX extension contains two data streams: the “file.exf” which is used to create a decoy document, and “file.ext” which contains the malicious payload.
The malicious payload is copied to an executable named “file.exe” using esentutl. If successful, the command prompt launches “file.exe” using start command.
Upon execution of file.exe, it drops three files on the folder path C:\ProgramData\police. IdrInit.exe is a legitimate iTop Data Recovery application abused to side-load the malicious DLL ProductStatistics3.dll. IdrInit.exe is executed by file.exe. The file IdrInit.exe.data contains information sent by the C2. The contents will be described later in this blog.