Add Known DLLs used by DarkGate for DLL Sideloading (#73)

Co-authored-by: Wietze <[email protected]>
wietze · Apr 15, 2024 · 18ea715 · 18ea715
1 parent 4778bba
commit 18ea715
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 2 deletions.
diff --git a/.github/schema/schema.yml b/.github/schema/schema.yml
@@ -10,7 +10,7 @@ mapping:
 
   Author:
     type: str
-    pattern: '^\w[\w\s\-'']+\w$'
+    pattern: '^\w[\w\s\-'',]+\w$'
     required: true
 
   Created:

diff --git a/yml/3rd_party/apple/corefoundation.yml b/yml/3rd_party/apple/corefoundation.yml
@@ -0,0 +1,27 @@
+---
+Name: corefoundation.dll
+Author: Matt Anderson - HuntressLabs
+Created: 2024-04-13
+Vendor: Apple
+ExpectedLocations:
+  - '%PROGRAMFILES%\Common Files\Apple\Apple Application Support'
+  - '%SYSTEM32%'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\iTunes\ituneshelper.exe'
+    Type: Sideloading
+    SHA256:
+      - '0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda'
+  - Path: '%PROGRAMFILES%\QuickTime\QuickTimePlayer.exe'
+    Type: Sideloading
+    SHA256:
+      - 'b3a7ff97aca1201758c5295afa7d34e8d05f429b7faf707cf4d5740b8c76cb61'
+Resources:
+  - https://analyze.intezer.com/analyses/82011cc1-c3df-4c63-9945-8730b0d1cf3e
+  - https://www.virustotal.com/gui/file/ff5e56c20591a9019eb28b3cab88f5a240657c1c360bf01ad3a6d417fa10b7f5
+  - https://www.joesandbox.com/analysis/1394928/0/html
+  - https://www.virustotal.com/gui/file/0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda/details
+  - https://discussions.apple.com/thread/2732037?sortBy=best
+  - https://iosninja.io/dll/download/corefoundation-dll
+Acknowledgements:
+  - Name: Matt Anderson
+    Twitter: '@nosecurething'
diff --git a/yml/3rd_party/nvidia/libcef.yml b/yml/3rd_party/nvidia/libcef.yml
@@ -0,0 +1,19 @@
+---
+Name: libcef.dll
+Author: Matt Anderson - HuntressLabs
+Created: 2024-04-13
+Vendor: Nvidia
+ExpectedLocations:
+  - '%PROGRAMFILES%\NVIDIA Corporation\NVIDIA GeForce Experience'
+VulnerableExecutables:
+  - Path: '%Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDA Share.exe'
+    Type: Sideloading
+    SHA256:
+      - 'f1e2f82d5f21fb8169131fedee6704696451f9e28a8705fca5c0dd6dad151d64'
+Resources:
+  - https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html
+  - https://analyze.intezer.com/analyses/93e92d7a-9a46-4c1c-8ac0-87b4453beeb8
+  - https://www.virustotal.com/gui/file/64d0fc47fd77eb300942602a912ea9403960acd4f2ed33a8e325594bf700d65f
+Acknowledgements:
+  - Name: Matt Anderson
+    Twitter: '@nosecurething'
diff --git a/yml/3rd_party/qfx/keyscramblerie.yml b/yml/3rd_party/qfx/keyscramblerie.yml
@@ -1,6 +1,6 @@
 ---
 Name: keyscramblerie.dll
-Author: Swachchhanda Shrawan Poudel
+Author: Matt Anderson - HuntressLabs, Swachchhanda Shrawan Poudel
 Created: 2024-04-15
 Vendor: QFX
 ExpectedLocations:
@@ -20,5 +20,7 @@ Resources:
   - https://www.virustotal.com/gui/file/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/details
   - https://www.virustotal.com/gui/file/9cfdc3fe2a10fe2b514fc224c9c8740e1de039d90b9c17f85b64ff29d4a4ebb1
 Acknowledgements:
+  - Name: Matt Anderson
+    Twitter: '@nosecurething'
   - Name: Swachchhanda Shrawan Poudel
     Twitter: '@_swachchhanda_'