Hexacorn

Last Updated 2023-02-25

Added xdbg32 from Trend Micro article.

Last Updated 2019-09-20

A few more updates thanks to @bartblaze !!!

Last Updated 2018-10-18

Updated mistake in tplcdclr.exe –> wtsapi32.dll –>wts.chm combo and added VeetlePlayer.exe –> libvlc.dll –>mtcReport.ktc; thanks to @KyleHanslovan !!!

Last Updated 2017-01-26

At the end of last post I mentioned PlugX. The idea used by this malware is pretty clever and relies on taking a legitimate signed .exe that is dependent on a DLL and swapping the DLL with the malicious replacement which – when loaded – decrypts/loads the final payload to memory. The trick used by PlugX is referred to as DLL Side-loading and I thought it will be nice to try summarizing various versions of this persistence trick described by various blogs.

The below are triplets describing the following PlugX components:

legitimate .exe [‘Source’ refers to the article/blog/WP describing it]
- DLL Side-loaded .dll
  - Payload

Here they are…

AShld.exe [Source]
- AShldRes.DLL
  - AShldRes.DLL.asr
CamMute.exe [Source]
- CommFunc.dll
  - CommFunc.jax
chrome_frame_helper.exe [Source PDF] Thx to @bartblaze
- chrome_frame_helper.dll
  - chrome_frame_helper.dll.rom
dvcemumanager.exe [Source]
- DESqmWrapper.dll
  - DESqmWrapper.wrapper
fsguidll.exe [Source]
- fslapi.dll
  - fslapi.dll.gui
fsstm.exe [Source]
- FSPMAPI.dll
  - FSPMAPI.dll.fsp
Gadget.exe [Source]
- Sidebar.dll
  - Sidebar.dll.doc
hhc.exe [Source]
- hha.dll
  - hha.dll.bak
hkcmd.exe [Source]
- hccutils.dll
  - hccutils.dll.res
LoLTWLauncher.exe [Source] Thx to @bartblaze
- NtUserEx.dll
  - NtUserEx.dat
Mc.exe [Source]
- McUtil.dll
  - McUtil.dll.url
mcf.exe [Source]
- mcutil.dll
  - mcf.ep
mcupdui.exe [Source]
- McUtil.dll
  - McUtil.dll.ping
mcut.exe [Source]
- McUtil.dll
  - mcutil.dll.bbc
MsMpEng.exe [Source]
- MpSvc.dll
  - MpSvc
msseces.exe [Source] Thx to @bartblaze
- mPclient.dll
  - msseces.asm
NvSmart.exe [Source]
- NvSmartMax.dll
  - boot.ldr
OInfoP11.exe [Source]
- OInfo11.ocx
  - OInfo11.ISO
OleView.exe [Source]
- ACLUI.DLL
  - ACLUI.DLL.UI
OleView.exe [Source] Thx to @KyleHanslovan
- iviewers.dll
  - <unknown>
POETWLauncher.exe [Source] Thx to @bartblaze
- NtUserEx.dll
  - NtUserEx.dat
RasTls.exe [Source]
- RasTls.dll
  - RasTls.dll.msc or RasTls.dll.config
rc.exe [Source] Thx to @KyleHanslovan
- rc.dll
  - rc.hlp
RunHelp.exe [Source]
- ssMUIDLL.dll
  - ssMUIDLL.dll.conf
sep_NE.exe [Source] Thx to @KyleHanslovan
- winmm.dll
  - sep_NE.slf
Setup.exe [Source]
- msi.dll
  - msi.dll.dat
sx.exe [Source] Thx to @bartblaze
- SXLOC.DLL
  - SXLOC.ZAP
tplcdclr.exe [Source] Thx to @KyleHanslovan
- wtsapi32.dll
  - wts.chm
Ushata.exe [Source]
- Ushata.dll
  - Ushata.fox
VeetlePlayer.exe [Source; PDF warning] Thx to @KyleHanslovan
- libvlc.dll
  - mtcReport.ktc
x32dbg.exe [Source]
- x32bridge.dll
  - x32bridge.dat

There is also a potential combo:

AFLogVw.exe [Source]
- AhnI2.dll
  - <unknown>

Now, a request – if you know any other combo that I have not included on the list, please let me know+provide a reference/source and I will add it to the list. Thanks!

A long time ago in a galaxy far, far away…. Microsoft was releasing new versions of a super uber cool pre-web era editing control called Rich Edit. I remember programming one of my early Windows API apps ages ago and at that time I was a bit puzzled. Puzzled, because I had to distinguish a version of Rich Edit control I could use and then I had to ensure that I load respective library myself to use certain features of the Rich Edit control.

The Rich Edit control was and still is a great editing control – it supports multi-line editing, Unicode, COM, and lots of other whistles and fireworks. It became a foundation of many applications and editors and in many aspects was ahead of its time. The libraries used by the various versions of the library are as follows:

1.0 – Riched32.dll
2.0 – Riched20.dll
3.0 – Riched20.dll
4.1 – Msftedit.dll

And yes, you know where it is going…

Many apps following the Microsoft’s mantra of loading the appropriate Rich Edit control would use LoadLibrary API and open it up to a nice DLL hijack.

Dropping malicious Riched20.dll and/or Riched32.dll in the same directory as the applications relying on Rich Edit control will lead to the execution of the malicious code each time the app is launched.

A popular example of such app is WinRar. Many people use it as a standalone app and winrar.exe works w/o any supporting files so can be dropped anywhere. Other examples include a very old, but still popular Resource Hacker, as well as some tools from Sysinternals f.ex. ADInsight.exe, Bginfo.exe, FileInsight from McAfee, old EditPad, OllyDbg, and many more…

The newer version of Rich Edit DLL (Msftedit.dll) is maybe less common, but can be still found in popular applications. One I came across is aswMBR.exe from AVAST – the below pops up with my decoy DLL being dropped inside the same dir as aswMBR.exe and activates when I try to Save the log.

Since many applications using the Rich Edit are signed, the unsigned DLL may be loaded in a very same manner as PlugX malware i.e. signed .exe loading an unsigned .dll.

Hexacorn

Beyond good ol’ Run key, Part 36

Beyond good ol’ Run key, Part 35