Add 11 DLLs actively used maliciously ITW (#75)

Co-authored-by: Wietze <[email protected]>

.github/schema/schema.yml

@@ -147,7 +147,7 @@ mapping:
         unique: true
         pattern: '^([^:\/?#]+:)(?:\/\/([^\/?#]*))?([^?#]+)?(\?[^#]*)?(#.*)?'
 
-  Acknowledgements:
+  Acknowledgements: &Individuals
     type: seq
     required: false
     sequence:
@@ -159,6 +159,9 @@ mapping:
             type: str
             pattern: '^\w[\w\s\-'']+\w$'
             required: true
+          Company:
+            type: str
+            required: false
           Twitter:
             type: str
             pattern: '^@(\w){1,15}$'

docs/SCHEMA.md

@@ -53,6 +53,7 @@ A simple template can be found [here](/template.yml).
 | Field | Type | Required | Format | Description |
 | ----- | ---- | -------- | ------ | ----------- |
 | `Name` | String | ✅ |  | Full name (or Twitter screen name) of the person who should be acknowledged. |
+| `Company` | String | Optional | Name of the acknowledged person's employer, should it be relevant to their contribution. |
 | `Twitter` | String | Optional | Has to start with `@` | The Twitter handle of the person who should be acknowledged. |
 
 [^1]: This field supports environment variables such as `%SYSTEM32%`, `%SYSWOW64%`, `%PROGRAMFILES%`, `%PROGRAMDATA%`, `%APPDATA%`, `%LOCALAPPDATA%`, and so on. Please use this where possible. Variable `%VERSION%` is also available if a path contains a version number that is likely to change.

yml/3rd_party/adobe/sqlite.yml

@@ -0,0 +1,19 @@
+---
+Name: sqlite.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: Adobe
+ExpectedLocations:
+  - '%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe'
+    Type: Sideloading
+    SHA256:
+      - 1f64f01063b26bf05d4b076d54816e54dacd08b7fd6e5bc9cc5d11a548ff2215
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/802bad293e5d5e75ffac3df3dd5301315a886534011871275a1b41c9cec1f298
+Acknowledgements:
+  - Name: Jai Minton
+    Company: Huntress
+    Twitter: '@cyberrraiju'

yml/3rd_party/apple/corefoundation.yml

@@ -24,4 +24,5 @@ Resources:
   - https://iosninja.io/dll/download/corefoundation-dll
 Acknowledgements:
   - Name: Matt Anderson
+    Company: Huntress
     Twitter: '@nosecurething'

yml/3rd_party/asus/asio.yml

@@ -23,4 +23,5 @@ Resources:
   - https://www.virustotal.com/gui/file/7f4689de97d97ddb6e788119ebf0dc3707c66f8216d7cbc79ea329d0c3df63bf/details
 Acknowledgements:
   - Name: Jai Minton
+    Company: Huntress
     Twitter: '@cyberrraiju'

yml/3rd_party/asus/asus_wmi.yml

@@ -23,4 +23,5 @@ Resources:
   - https://www.virustotal.com/gui/file/7f4689de97d97ddb6e788119ebf0dc3707c66f8216d7cbc79ea329d0c3df63bf/details
 Acknowledgements:
   - Name: Jai Minton
+    Company: Huntress
     Twitter: '@cyberrraiju'

yml/3rd_party/cisco/wcldll.yml

@@ -22,4 +22,5 @@ Resources:
   - https://www.virustotal.com/gui/file/fa1443219f210bdcf3a25b311342851f61378536eb11810366468156fbd5c051
 Acknowledgements:
   - Name: Jai Minton
+    Company: Huntress
     Twitter: '@cyberrraiju'

yml/3rd_party/flexera/fnp_act_installer.yml

@@ -0,0 +1,21 @@
+---
+Name: fnp_act_installer.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: Flexera
+ExpectedLocations:
+  - '%PROGRAMFILES%\InstallShield\%VERSION%\System'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\InstallShield\%VERSION%\System\TSConfig.exe'
+    Type: Sideloading
+    ExpectedVersionInformation:
+      - FileDescription: InstallShield Activation Wizard
+    SHA256:
+      - 'b5f9377bd27fcf48fb3d81d0196021681739f42a198e8340c27d55192d4bd3ac'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/e7b69768215453b2c648d7060161ce9b9eaf1ace631eb2ac11b60a7195e2263e
+Acknowledgements:
+  - Name: Jai Minton
+    Company: Huntress
+    Twitter: '@cyberrraiju'

yml/3rd_party/nvidia/libcef.yml

@@ -16,4 +16,5 @@ Resources:
   - https://www.virustotal.com/gui/file/64d0fc47fd77eb300942602a912ea9403960acd4f2ed33a8e325594bf700d65f
 Acknowledgements:
   - Name: Matt Anderson
+    Company: Huntress
     Twitter: '@nosecurething'

yml/3rd_party/oracle/qtcorevbox4.yml

@@ -0,0 +1,20 @@
+---
+Name: qtcorevbox4.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: Oracle
+ExpectedLocations:
+  - '%PROGRAMFILES%\Oracle\VirtualBox'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\Oracle\VirtualBox\VBoxTestOGL.exe'
+    Type: Sideloading
+    SHA256:
+      - 'e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd
+  - https://www.virustotal.com/gui/file/a6e6b1a47021fa1e4d36b047f5326eb04d5f545907fc6ac3730162a07cc792ff
+Acknowledgements:
+  - Name: Jai Minton
+    Company: Huntress
+    Twitter: '@cyberrraiju'

yml/3rd_party/oracle/vboxrt.yml

@@ -0,0 +1,21 @@
+---
+Name: vboxrt.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: Oracle
+ExpectedLocations:
+  - '%PROGRAMFILES%\Oracle\VirtualBox'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\Oracle\VirtualBox\VBoxSVC.exe'
+    Type: Sideloading
+    ExpectedVersionInformation:
+      - FileDescription: VirtualBox Interface
+    SHA256:
+      - '448402c129a721812fa1c5f279f5ca906b9c8bbca652a91655d144d20ce5e6b4'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd
+Acknowledgements:
+  - Name: Jai Minton
+    Company: Huntress
+    Twitter: '@cyberrraiju'

yml/3rd_party/pspad/libeay32.yml

@@ -0,0 +1,23 @@
+---
+Name: libeay32.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: PSPad
+ExpectedLocations:
+  - '%PROGRAMFILES%\PSPad editor'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\PSPad editor\PSPad.exe'
+    Type: Sideloading
+    ExpectedVersionInformation:
+      - FileDescription: Text editor
+    SHA256:
+      - '0a97c374a6cc14b54b01deb3be77b28e274ced8c0627efba6b84712284332a7a'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd
+  - https://www.virustotal.com/gui/file/7add49ed95d6a9e90988dcbfc54cdb727e0c705e3d79879717849798354e3e25
+  - https://www.virustotal.com/gui/file/a13c09f41979df8717a9d39e15e6ce960c1c4ba6af456a563fa3ff1b8b4d388c
+Acknowledgements:
+  - Name: Jai Minton
+    Company: Huntress
+    Twitter: '@cyberrraiju'

yml/3rd_party/qfx/keyscramblerie.yml

@@ -21,6 +21,7 @@ Resources:
   - https://www.virustotal.com/gui/file/9cfdc3fe2a10fe2b514fc224c9c8740e1de039d90b9c17f85b64ff29d4a4ebb1
 Acknowledgements:
   - Name: Matt Anderson
+    Company: Huntress
     Twitter: '@nosecurething'
   - Name: Swachchhanda Shrawan Poudel
     Twitter: '@_swachchhanda_'

yml/3rd_party/thinprint/tpsvc.yml

@@ -0,0 +1,21 @@
+---
+Name: tpsvc.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: ThinPrint
+ExpectedLocations:
+  - '%PROGRAMFILES%\VMWare\VMWare Tools'
+  - '%PROGRAMFILES%\Common Files\ThinPrint'
+VulnerableExecutables:
+  - Path: 'TPAutoConnect.exe'
+    Type: Sideloading
+    SHA256:
+      - 'e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd
+  - https://www.virustotal.com/gui/file/a6e6b1a47021fa1e4d36b047f5326eb04d5f545907fc6ac3730162a07cc792ff
+Acknowledgements:
+  - Name: Jai Minton
+    Company: Huntress
+    Twitter: '@cyberrraiju'

yml/3rd_party/vlc/libvlccore.yml

@@ -0,0 +1,19 @@
+---
+Name: libvlccore.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: VLC
+ExpectedLocations:
+  - '%PROGRAMFILES%\VideoLAN\VLC'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\VideoLAN\VLC\vlc.exe'
+    Type: Sideloading
+    SHA256:
+      - 1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/33c08eeaff6e9aa686a14144cb84d1895f260d28b767a0d2a10dbe427a65d7c0
+Acknowledgements:
+  - Name: Jai Minton
+    Company: Huntress
+    Twitter: '@cyberrraiju'

yml/3rd_party/wireshark/libglib-2.0-0.yml

@@ -0,0 +1,21 @@
+---
+Name: libglib-2.0-0.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: Wireshark
+ExpectedLocations:
+  - '%PROGRAMFILES%\Wireshark'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\Wireshark\Mergecap.exe'
+    Type: Sideloading
+    ExpectedVersionInformation:
+      - FileDescription: Mergecap
+    SHA256:
+      - 'ac7a321a7b00b4adb5863b9a7e91e69afe9ce1953317234a2bd1bee97de744da'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/fcb0272d586fff854ce9b329fbbba26902984a112a1afe96a149dbb2011ad289
+Acknowledgements:
+  - Name: Jai Minton
+    Company: Huntress
+    Twitter: '@cyberrraiju'

yml/3rd_party/wireshark/libwsutil.yml

@@ -0,0 +1,22 @@
+---
+Name: libwsutil.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: Wireshark
+ExpectedLocations:
+  - '%PROGRAMFILES%\Wireshark'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\Wireshark\Mergecap.exe'
+    Type: Sideloading
+    ExpectedVersionInformation:
+      - FileDescription: Mergecap
+    SHA256:
+      - 'ac7a321a7b00b4adb5863b9a7e91e69afe9ce1953317234a2bd1bee97de744da'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/fcb0272d586fff854ce9b329fbbba26902984a112a1afe96a149dbb2011ad289
+  - https://www.virustotal.com/gui/file/e91c4f990c1b0b58d69f3c3e80916463e5cc87011fd418d610c5264f7d5ecc9b
+Acknowledgements:
+  - Name: Jai Minton
+    Company: Huntress
+    Twitter: '@cyberrraiju'

yml/microsoft/external/mpgear.yml

@@ -0,0 +1,20 @@
+---
+Name: mpgear.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: Microsoft
+ExpectedLocations:
+  - '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\Classification'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe'
+    Type: Sideloading
+    SHA256:
+      - '8dc4d5deef19fb4da195c270819a6ee283b67408fc9ee187216a0ce80ee61bab'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/1643a9c54e5d730fb0ebf4ab49e6c1d3a09dcd2c3a0282674330346d90990ab0
+  - https://www.virustotal.com/gui/file/e1316301e7904a415fdd2a1707d1a48220cce055aab17b36a48e67bf0369edba
+Acknowledgements:
+  - Name: Jai Minton
+    Company: Huntress
+    Twitter: '@cyberrraiju'

yml/microsoft/external/tedutil.yml

@@ -0,0 +1,20 @@
+---
+Name: tedutil.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: Microsoft
+ExpectedLocations:
+  - '%PROGRAMFILES%\Microsoft SDKs\Windows\%VERSION%\Bin'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\Microsoft SDKs\Windows\%VERSION%\Bin\TopoEdit.exe'
+    Type: Sideloading
+    SHA256:
+      - 'b874e5abdd7c008d47560fda4e84db893ac63c18c3a5a450d25f4e62ed8e8d8c'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/eb014e37fdcaf42c93f606058896ccb47eed56be5e1701c7b9744bac0003a8e8/details
+  - https://learn.microsoft.com/en-us/windows/win32/medfound/topoedit-modules
+Acknowledgements:
+  - Name: Jai Minton
+    Company: Huntress
+    Twitter: '@cyberrraiju'