From bb744e6056ec15ce57b44f4308e1fc6c9d957835 Mon Sep 17 00:00:00 2001
From: Jai Minton <JPMinty@users.noreply.github.com>
Date: Sat, 13 Apr 2024 04:13:12 +0930
Subject: [PATCH 1/3] Add 4 new DLLs actively used ITW with search order
 hijacking (#72)

---
 yml/3rd_party/asus/asio.yml             | 26 +++++++++++++++++++++++++
 yml/3rd_party/asus/asus_wmi.yml         | 26 +++++++++++++++++++++++++
 yml/3rd_party/cisco/wcldll.yml          | 25 ++++++++++++++++++++++++
 yml/3rd_party/glorylogic/badata_x64.yml | 20 +++++++++++++++++++
 4 files changed, 97 insertions(+)
 create mode 100644 yml/3rd_party/asus/asio.yml
 create mode 100644 yml/3rd_party/asus/asus_wmi.yml
 create mode 100644 yml/3rd_party/cisco/wcldll.yml
 create mode 100644 yml/3rd_party/glorylogic/badata_x64.yml

diff --git a/yml/3rd_party/asus/asio.yml b/yml/3rd_party/asus/asio.yml
new file mode 100644
index 00000000..0c4da6e5
--- /dev/null
+++ b/yml/3rd_party/asus/asio.yml
@@ -0,0 +1,26 @@
+---
+Name: asio.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-10
+Vendor: Asus
+ExpectedLocations:
+  - '%PROGRAMFILES%\ASUS\AXSP\%VERSION%'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\ASUS\AXSP\4.02.12\atkexComSvc.exe'
+    Type: Sideloading
+    ExpectedSignatureInformation:
+      - Subject: C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.
+        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)
+        Type: Authenticode
+    ExpectedVersionInformation:
+      - OriginalFilename: atkexComSvc.exe
+        InternalName: atkexComSvc.exe
+        FileDescription: ASUS Com Service
+    SHA256:
+      - '12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10'
+Resources:
+  - https://www.virustotal.com/gui/file/006f91524d53d483074335f74c2ca2c10cab9b64de86f6151eedfa53174434f2/relations
+  - https://www.virustotal.com/gui/file/7f4689de97d97ddb6e788119ebf0dc3707c66f8216d7cbc79ea329d0c3df63bf/details
+Acknowledgements:
+  - Name: Jai Minton
+    Twitter: '@cyberrraiju'
diff --git a/yml/3rd_party/asus/asus_wmi.yml b/yml/3rd_party/asus/asus_wmi.yml
new file mode 100644
index 00000000..efd6e24c
--- /dev/null
+++ b/yml/3rd_party/asus/asus_wmi.yml
@@ -0,0 +1,26 @@
+---
+Name: asus_wmi.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-10
+Vendor: Asus
+ExpectedLocations:
+  - '%PROGRAMFILES%\ASUS\AXSP\%VERSION%'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\ASUS\AXSP\%VERSION%\atkexComSvc.exe'
+    Type: Sideloading
+    ExpectedSignatureInformation:
+      - Subject: C=TW, L=Taipei City, O=ASUSTeK Computer Inc., CN=ASUSTeK Computer Inc.
+        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert EV Code Signing CA (SHA2)
+        Type: Authenticode
+    ExpectedVersionInformation:
+      - OriginalFilename: atkexComSvc.exe
+        InternalName: atkexComSvc.exe
+        FileDescription: ASUS Com Service
+    SHA256:
+      - '12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10'
+Resources:
+  - https://www.virustotal.com/gui/file/006f91524d53d483074335f74c2ca2c10cab9b64de86f6151eedfa53174434f2/relations
+  - https://www.virustotal.com/gui/file/7f4689de97d97ddb6e788119ebf0dc3707c66f8216d7cbc79ea329d0c3df63bf/details
+Acknowledgements:
+  - Name: Jai Minton
+    Twitter: '@cyberrraiju'
diff --git a/yml/3rd_party/cisco/wcldll.yml b/yml/3rd_party/cisco/wcldll.yml
new file mode 100644
index 00000000..287729ec
--- /dev/null
+++ b/yml/3rd_party/cisco/wcldll.yml
@@ -0,0 +1,25 @@
+---
+Name: wcldll.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-10
+Vendor: Cisco
+ExpectedLocations:
+  - '%PROGRAMFILES%\Cisco Systems\Cisco Jabber'
+  - '%PROGRAMFILES%\Webex\Applications'
+  - '%PROGRAMFILES%\Webex\Plugins'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\Webex\Applications\ptInst.exe'
+    Type: Sideloading
+    ExpectedVersionInformation:
+      - OriginalFilename: ptInst.exe
+        InternalName: ptInst
+        FileDescription: WebEx PT ptInst Module
+    SHA256:
+      - 'bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5'
+Resources:
+  - https://www.virustotal.com/gui/file/bf1a0c67b433f52ebd304553f022baa34bfbca258c932d2b4b8b956b1467bfa5/details
+  - https://www.virustotal.com/gui/file/26227914bdad9baf491a9b966e6301fc997cff35c677dcfd9628654f4f6bc9fc/relations
+  - https://www.virustotal.com/gui/file/fa1443219f210bdcf3a25b311342851f61378536eb11810366468156fbd5c051
+Acknowledgements:
+  - Name: Jai Minton
+    Twitter: '@cyberrraiju'
diff --git a/yml/3rd_party/glorylogic/badata_x64.yml b/yml/3rd_party/glorylogic/badata_x64.yml
new file mode 100644
index 00000000..2f2d8e2a
--- /dev/null
+++ b/yml/3rd_party/glorylogic/badata_x64.yml
@@ -0,0 +1,20 @@
+---
+Name: badata_x64.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-10
+Vendor: Glorylogic
+ExpectedLocations:
+  - '%PROGRAMFILES%\True Burner'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\True Burner\TrueBurner.exe'
+    Type: Sideloading
+    ExpectedVersionInformation:
+      - FileDescription: True Burner
+    SHA256:
+      - '3e190f160218ad78c85c169dfd0828d36e4a366a3e2a61337391f0d7599a7558'
+Resources:
+  - https://www.virustotal.com/gui/file/3e190f160218ad78c85c169dfd0828d36e4a366a3e2a61337391f0d7599a7558/relations
+  - https://www.virustotal.com/gui/file/9326dd40e37d720f15a0104f89d6e76eb7a75b6e1fad14018326dbaa01681e74/relations
+Acknowledgements:
+  - Name: Jai Minton
+    Twitter: '@cyberrraiju'

From 4778bba51eae415772843a7250cba763aba2d436 Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Tue, 16 Apr 2024 04:03:43 +0545
Subject: [PATCH 2/3] Keyscrambler.exe side-loading KeyScramblerIE.dll (#74)

---
 yml/3rd_party/qfx/keyscramblerie.yml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 yml/3rd_party/qfx/keyscramblerie.yml

diff --git a/yml/3rd_party/qfx/keyscramblerie.yml b/yml/3rd_party/qfx/keyscramblerie.yml
new file mode 100644
index 00000000..253125c4
--- /dev/null
+++ b/yml/3rd_party/qfx/keyscramblerie.yml
@@ -0,0 +1,24 @@
+---
+Name: keyscramblerie.dll
+Author: Swachchhanda Shrawan Poudel
+Created: 2024-04-15
+Vendor: QFX
+ExpectedLocations:
+  - '%PROGRAMFILES%\KeyScrambler'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\KeyScrambler\KeyScrambler.exe'
+    Type: Sideloading
+    SHA256:
+      - 'f1575259753f52aaabbd6baad3069605d764761c1da92e402f3e781ed3cf7cea'
+      - 'fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1'
+Resources:
+  - https://thehackernews.com/2024/03/two-chinese-apt-groups-ramp-up-cyber.html
+  - https://csirt-cti.net/2024/02/01/stately-taurus-continued-new-information-on-cyberespionage-attacks-against-myanmar-military-junta/
+  - https://bazaar.abuse.ch/sample/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/
+  - https://twitter.com/Max_Mal_/status/1775222576639291859
+  - https://twitter.com/DTCERT/status/1712785426895839339
+  - https://www.virustotal.com/gui/file/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/details
+  - https://www.virustotal.com/gui/file/9cfdc3fe2a10fe2b514fc224c9c8740e1de039d90b9c17f85b64ff29d4a4ebb1
+Acknowledgements:
+  - Name: Swachchhanda Shrawan Poudel
+    Twitter: '@_swachchhanda_'

From 18ea71548fdfd078af7ab541199a57d8c099cb49 Mon Sep 17 00:00:00 2001
From: Matt Anderson <75185144+MATTANDERS0N@users.noreply.github.com>
Date: Mon, 15 Apr 2024 17:42:02 -0500
Subject: [PATCH 3/3] Add Known DLLs used by DarkGate for DLL Sideloading (#73)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
---
 .github/schema/schema.yml              |  2 +-
 yml/3rd_party/apple/corefoundation.yml | 27 ++++++++++++++++++++++++++
 yml/3rd_party/nvidia/libcef.yml        | 19 ++++++++++++++++++
 yml/3rd_party/qfx/keyscramblerie.yml   |  4 +++-
 4 files changed, 50 insertions(+), 2 deletions(-)
 create mode 100644 yml/3rd_party/apple/corefoundation.yml
 create mode 100644 yml/3rd_party/nvidia/libcef.yml

diff --git a/.github/schema/schema.yml b/.github/schema/schema.yml
index 4c06f7b4..461275ab 100644
--- a/.github/schema/schema.yml
+++ b/.github/schema/schema.yml
@@ -10,7 +10,7 @@ mapping:
 
   Author:
     type: str
-    pattern: '^\w[\w\s\-'']+\w$'
+    pattern: '^\w[\w\s\-'',]+\w$'
     required: true
 
   Created:
diff --git a/yml/3rd_party/apple/corefoundation.yml b/yml/3rd_party/apple/corefoundation.yml
new file mode 100644
index 00000000..43a12ff1
--- /dev/null
+++ b/yml/3rd_party/apple/corefoundation.yml
@@ -0,0 +1,27 @@
+---
+Name: corefoundation.dll
+Author: Matt Anderson - HuntressLabs
+Created: 2024-04-13
+Vendor: Apple
+ExpectedLocations:
+  - '%PROGRAMFILES%\Common Files\Apple\Apple Application Support'
+  - '%SYSTEM32%'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\iTunes\ituneshelper.exe'
+    Type: Sideloading
+    SHA256:
+      - '0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda'
+  - Path: '%PROGRAMFILES%\QuickTime\QuickTimePlayer.exe'
+    Type: Sideloading
+    SHA256:
+      - 'b3a7ff97aca1201758c5295afa7d34e8d05f429b7faf707cf4d5740b8c76cb61'
+Resources:
+  - https://analyze.intezer.com/analyses/82011cc1-c3df-4c63-9945-8730b0d1cf3e
+  - https://www.virustotal.com/gui/file/ff5e56c20591a9019eb28b3cab88f5a240657c1c360bf01ad3a6d417fa10b7f5
+  - https://www.joesandbox.com/analysis/1394928/0/html
+  - https://www.virustotal.com/gui/file/0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda/details
+  - https://discussions.apple.com/thread/2732037?sortBy=best
+  - https://iosninja.io/dll/download/corefoundation-dll
+Acknowledgements:
+  - Name: Matt Anderson
+    Twitter: '@nosecurething'
diff --git a/yml/3rd_party/nvidia/libcef.yml b/yml/3rd_party/nvidia/libcef.yml
new file mode 100644
index 00000000..5e3c49b9
--- /dev/null
+++ b/yml/3rd_party/nvidia/libcef.yml
@@ -0,0 +1,19 @@
+---
+Name: libcef.dll
+Author: Matt Anderson - HuntressLabs
+Created: 2024-04-13
+Vendor: Nvidia
+ExpectedLocations:
+  - '%PROGRAMFILES%\NVIDIA Corporation\NVIDIA GeForce Experience'
+VulnerableExecutables:
+  - Path: '%Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDA Share.exe'
+    Type: Sideloading
+    SHA256:
+      - 'f1e2f82d5f21fb8169131fedee6704696451f9e28a8705fca5c0dd6dad151d64'
+Resources:
+  - https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html
+  - https://analyze.intezer.com/analyses/93e92d7a-9a46-4c1c-8ac0-87b4453beeb8
+  - https://www.virustotal.com/gui/file/64d0fc47fd77eb300942602a912ea9403960acd4f2ed33a8e325594bf700d65f
+Acknowledgements:
+  - Name: Matt Anderson
+    Twitter: '@nosecurething'
diff --git a/yml/3rd_party/qfx/keyscramblerie.yml b/yml/3rd_party/qfx/keyscramblerie.yml
index 253125c4..73c2f013 100644
--- a/yml/3rd_party/qfx/keyscramblerie.yml
+++ b/yml/3rd_party/qfx/keyscramblerie.yml
@@ -1,6 +1,6 @@
 ---
 Name: keyscramblerie.dll
-Author: Swachchhanda Shrawan Poudel
+Author: Matt Anderson - HuntressLabs, Swachchhanda Shrawan Poudel
 Created: 2024-04-15
 Vendor: QFX
 ExpectedLocations:
@@ -20,5 +20,7 @@ Resources:
   - https://www.virustotal.com/gui/file/5cb9876681f78d3ee8a01a5aaa5d38b05ec81edc48b09e3865b75c49a2187831/details
   - https://www.virustotal.com/gui/file/9cfdc3fe2a10fe2b514fc224c9c8740e1de039d90b9c17f85b64ff29d4a4ebb1
 Acknowledgements:
+  - Name: Matt Anderson
+    Twitter: '@nosecurething'
   - Name: Swachchhanda Shrawan Poudel
     Twitter: '@_swachchhanda_'