In the past ToddyCat exploited vulnerabilities in publicly exposed Microsoft Exchange servers, but it also delivers malware through spear-phishing emails that have malicious archives attached. These archives contain the legitimate executables together with the rogue side-loaded DLL.
According to Check Point, one application exploited in recent attacks is called Dante Discovery and is made by a company called Audinate. In a spear-phishing attack against a Vietnamese telecom company, the attackers sent an archive with Dante Discovery’s executable named to mDNSResponder.exe along with a malicious side-loaded DLL named dal_keepalives.dll that the software is looking for.
The rogue dal_keepalives.dll is a simple malware loader that’s used to set up persistence by copying the file combo to the Application Data folder and setting up a scheduled task called AppleNotifyService to keep executing it. The malware loader is used to execute a simple backdoor that Check Point calls “CurKeep.”
“The [CurKeep] main payload logic consists of three primary functionalities: report, shell, and file,” the researchers said. “Each of those is assigned to a different message type that is sent to the C&C server. When executed, the payload initially runs the report functionality, sending basic recon info to the C&C server. It then creates two separate threads that repeatedly run the shell and file functionalities.”
The shell functionality is used by the attackers to remote execute shell commands on the machine, and the file feature is to download files to disk that will then be executed.
Meanwhile, the Kaspersky researchers reported seeing similar side-loading tactics taking advantage of vlc.exe, a popular open-source video player, with a rogue accompanying file called playlist.dat, or malware loaders in the form of DLL files that are loaded directly with the rundll32.exe Windows utility.