From 18ea71548fdfd078af7ab541199a57d8c099cb49 Mon Sep 17 00:00:00 2001 From: Matt Anderson <75185144+MATTANDERS0N@users.noreply.github.com> Date: Mon, 15 Apr 2024 17:42:02 -0500 Subject: [PATCH] Add Known DLLs used by DarkGate for DLL Sideloading (#73) Co-authored-by: Wietze --- .github/schema/schema.yml | 2 +- yml/3rd_party/apple/corefoundation.yml | 27 ++++++++++++++++++++++++++ yml/3rd_party/nvidia/libcef.yml | 19 ++++++++++++++++++ yml/3rd_party/qfx/keyscramblerie.yml | 4 +++- 4 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 yml/3rd_party/apple/corefoundation.yml create mode 100644 yml/3rd_party/nvidia/libcef.yml diff --git a/.github/schema/schema.yml b/.github/schema/schema.yml index 4c06f7b4..461275ab 100644 --- a/.github/schema/schema.yml +++ b/.github/schema/schema.yml @@ -10,7 +10,7 @@ mapping: Author: type: str - pattern: '^\w[\w\s\-'']+\w$' + pattern: '^\w[\w\s\-'',]+\w$' required: true Created: diff --git a/yml/3rd_party/apple/corefoundation.yml b/yml/3rd_party/apple/corefoundation.yml new file mode 100644 index 00000000..43a12ff1 --- /dev/null +++ b/yml/3rd_party/apple/corefoundation.yml @@ -0,0 +1,27 @@ +--- +Name: corefoundation.dll +Author: Matt Anderson - HuntressLabs +Created: 2024-04-13 +Vendor: Apple +ExpectedLocations: + - '%PROGRAMFILES%\Common Files\Apple\Apple Application Support' + - '%SYSTEM32%' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\iTunes\ituneshelper.exe' + Type: Sideloading + SHA256: + - '0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda' + - Path: '%PROGRAMFILES%\QuickTime\QuickTimePlayer.exe' + Type: Sideloading + SHA256: + - 'b3a7ff97aca1201758c5295afa7d34e8d05f429b7faf707cf4d5740b8c76cb61' +Resources: + - https://analyze.intezer.com/analyses/82011cc1-c3df-4c63-9945-8730b0d1cf3e + - https://www.virustotal.com/gui/file/ff5e56c20591a9019eb28b3cab88f5a240657c1c360bf01ad3a6d417fa10b7f5 + - https://www.joesandbox.com/analysis/1394928/0/html + - https://www.virustotal.com/gui/file/0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda/details + - https://discussions.apple.com/thread/2732037?sortBy=best + - https://iosninja.io/dll/download/corefoundation-dll +Acknowledgements: + - Name: Matt Anderson + Twitter: '@nosecurething' diff --git a/yml/3rd_party/nvidia/libcef.yml b/yml/3rd_party/nvidia/libcef.yml new file mode 100644 index 00000000..5e3c49b9 --- /dev/null +++ b/yml/3rd_party/nvidia/libcef.yml @@ -0,0 +1,19 @@ +--- +Name: libcef.dll +Author: Matt Anderson - HuntressLabs +Created: 2024-04-13 +Vendor: Nvidia +ExpectedLocations: + - '%PROGRAMFILES%\NVIDIA Corporation\NVIDIA GeForce Experience' +VulnerableExecutables: + - Path: '%Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDA Share.exe' + Type: Sideloading + SHA256: + - 'f1e2f82d5f21fb8169131fedee6704696451f9e28a8705fca5c0dd6dad151d64' +Resources: + - https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html + - https://analyze.intezer.com/analyses/93e92d7a-9a46-4c1c-8ac0-87b4453beeb8 + - https://www.virustotal.com/gui/file/64d0fc47fd77eb300942602a912ea9403960acd4f2ed33a8e325594bf700d65f +Acknowledgements: + - Name: Matt Anderson + Twitter: '@nosecurething' diff --git a/yml/3rd_party/qfx/keyscramblerie.yml b/yml/3rd_party/qfx/keyscramblerie.yml index 253125c4..73c2f013 100644 --- a/yml/3rd_party/qfx/keyscramblerie.yml +++ b/yml/3rd_party/qfx/keyscramblerie.yml @@ -1,6 +1,6 @@ --- Name: keyscramblerie.dll -Author: Swachchhanda Shrawan Poudel +Author: Matt Anderson - HuntressLabs, Swachchhanda Shrawan Poudel Created: 2024-04-15 Vendor: QFX ExpectedLocations: @@ -20,5 +20,7 @@ Resources: - https://www.virustotal.com/gui/file/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/details - https://www.virustotal.com/gui/file/9cfdc3fe2a10fe2b514fc224c9c8740e1de039d90b9c17f85b64ff29d4a4ebb1 Acknowledgements: + - Name: Matt Anderson + Twitter: '@nosecurething' - Name: Swachchhanda Shrawan Poudel Twitter: '@_swachchhanda_'