Signed DLL Campaigns / Polyglot

Industry: N/A | Level: Operational | Source: Medium

Security researchers - Jason Reaves and Joshua Platt, shared campaign details associated with tactics from ‘Polyglotting’ to help bypass security checks. As found by the researchers "Recently an actor has begun using a technique of embedding VBScript data at the end of Microsoft signed DLLs in order to GPG decrypt and then detonate payloads." Recent campaigns have distributed malicious files through illegitimate software installers, malware that has been distributed includes AterAgent RAT, Zloader, Gozi, and Cobalt Strike. There is a variation of activity, with most associated with the VBScript altering window defender, invoking a PowerShell download, registry modification, and some with shutdown commands.

• Anvilogic Scenario: Polyglot - Signed DLLs
• Anvilogic Use Cases:
• Cscript or Wscript execution
• Invoke-WebRequest Command
• Modify Windows Defender