From c9482fc1b79c58d1c79306ad776707d43ef5b0c5 Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Sat, 27 Apr 2024 21:10:13 +0930 Subject: [PATCH] Add 11 DLLs actively used maliciously ITW (#75) Co-authored-by: Wietze --- .github/schema/schema.yml | 5 ++++- docs/SCHEMA.md | 1 + yml/3rd_party/adobe/sqlite.yml | 19 +++++++++++++++++ yml/3rd_party/apple/corefoundation.yml | 1 + yml/3rd_party/asus/asio.yml | 1 + yml/3rd_party/asus/asus_wmi.yml | 1 + yml/3rd_party/cisco/wcldll.yml | 1 + yml/3rd_party/flexera/fnp_act_installer.yml | 21 +++++++++++++++++++ yml/3rd_party/nvidia/libcef.yml | 1 + yml/3rd_party/oracle/qtcorevbox4.yml | 20 ++++++++++++++++++ yml/3rd_party/oracle/vboxrt.yml | 21 +++++++++++++++++++ yml/3rd_party/pspad/libeay32.yml | 23 +++++++++++++++++++++ yml/3rd_party/qfx/keyscramblerie.yml | 1 + yml/3rd_party/thinprint/tpsvc.yml | 21 +++++++++++++++++++ yml/3rd_party/vlc/libvlccore.yml | 19 +++++++++++++++++ yml/3rd_party/wireshark/libglib-2.0-0.yml | 21 +++++++++++++++++++ yml/3rd_party/wireshark/libwsutil.yml | 22 ++++++++++++++++++++ yml/microsoft/external/mpgear.yml | 20 ++++++++++++++++++ yml/microsoft/external/tedutil.yml | 20 ++++++++++++++++++ 19 files changed, 238 insertions(+), 1 deletion(-) create mode 100644 yml/3rd_party/adobe/sqlite.yml create mode 100644 yml/3rd_party/flexera/fnp_act_installer.yml create mode 100644 yml/3rd_party/oracle/qtcorevbox4.yml create mode 100644 yml/3rd_party/oracle/vboxrt.yml create mode 100644 yml/3rd_party/pspad/libeay32.yml create mode 100644 yml/3rd_party/thinprint/tpsvc.yml create mode 100644 yml/3rd_party/vlc/libvlccore.yml create mode 100644 yml/3rd_party/wireshark/libglib-2.0-0.yml create mode 100644 yml/3rd_party/wireshark/libwsutil.yml create mode 100644 yml/microsoft/external/mpgear.yml create mode 100644 yml/microsoft/external/tedutil.yml diff --git a/.github/schema/schema.yml b/.github/schema/schema.yml index 461275ab..b61ff6eb 100644 --- a/.github/schema/schema.yml +++ b/.github/schema/schema.yml @@ -147,7 +147,7 @@ mapping: unique: true pattern: '^([^:\/?#]+:)(?:\/\/([^\/?#]*))?([^?#]+)?(\?[^#]*)?(#.*)?' - Acknowledgements: + Acknowledgements: &Individuals type: seq required: false sequence: @@ -159,6 +159,9 @@ mapping: type: str pattern: '^\w[\w\s\-'']+\w$' required: true + Company: + type: str + required: false Twitter: type: str pattern: '^@(\w){1,15}$' diff --git a/docs/SCHEMA.md b/docs/SCHEMA.md index 8feca755..3363120b 100644 --- a/docs/SCHEMA.md +++ b/docs/SCHEMA.md @@ -53,6 +53,7 @@ A simple template can be found [here](/template.yml). | Field | Type | Required | Format | Description | | ----- | ---- | -------- | ------ | ----------- | | `Name` | String | ✅ | | Full name (or Twitter screen name) of the person who should be acknowledged. | +| `Company` | String | Optional | Name of the acknowledged person's employer, should it be relevant to their contribution. | | `Twitter` | String | Optional | Has to start with `@` | The Twitter handle of the person who should be acknowledged. | [^1]: This field supports environment variables such as `%SYSTEM32%`, `%SYSWOW64%`, `%PROGRAMFILES%`, `%PROGRAMDATA%`, `%APPDATA%`, `%LOCALAPPDATA%`, and so on. Please use this where possible. Variable `%VERSION%` is also available if a path contains a version number that is likely to change. diff --git a/yml/3rd_party/adobe/sqlite.yml b/yml/3rd_party/adobe/sqlite.yml new file mode 100644 index 00000000..767ad575 --- /dev/null +++ b/yml/3rd_party/adobe/sqlite.yml @@ -0,0 +1,19 @@ +--- +Name: sqlite.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Adobe +ExpectedLocations: + - '%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe' + Type: Sideloading + SHA256: + - 1f64f01063b26bf05d4b076d54816e54dacd08b7fd6e5bc9cc5d11a548ff2215 +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/802bad293e5d5e75ffac3df3dd5301315a886534011871275a1b41c9cec1f298 +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/apple/corefoundation.yml b/yml/3rd_party/apple/corefoundation.yml index 43a12ff1..f0f9f1d8 100644 --- a/yml/3rd_party/apple/corefoundation.yml +++ b/yml/3rd_party/apple/corefoundation.yml @@ -24,4 +24,5 @@ Resources: - https://iosninja.io/dll/download/corefoundation-dll Acknowledgements: - Name: Matt Anderson + Company: Huntress Twitter: '@nosecurething' diff --git a/yml/3rd_party/asus/asio.yml b/yml/3rd_party/asus/asio.yml index 0c4da6e5..39d2521b 100644 --- a/yml/3rd_party/asus/asio.yml +++ b/yml/3rd_party/asus/asio.yml @@ -23,4 +23,5 @@ Resources: - https://www.virustotal.com/gui/file/7f4689de97d97ddb6e788119ebf0dc3707c66f8216d7cbc79ea329d0c3df63bf/details Acknowledgements: - Name: Jai Minton + Company: Huntress Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/asus/asus_wmi.yml b/yml/3rd_party/asus/asus_wmi.yml index efd6e24c..fe2fddac 100644 --- a/yml/3rd_party/asus/asus_wmi.yml +++ b/yml/3rd_party/asus/asus_wmi.yml @@ -23,4 +23,5 @@ Resources: - https://www.virustotal.com/gui/file/7f4689de97d97ddb6e788119ebf0dc3707c66f8216d7cbc79ea329d0c3df63bf/details Acknowledgements: - Name: Jai Minton + Company: Huntress Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/cisco/wcldll.yml b/yml/3rd_party/cisco/wcldll.yml index 287729ec..9cfab178 100644 --- a/yml/3rd_party/cisco/wcldll.yml +++ b/yml/3rd_party/cisco/wcldll.yml @@ -22,4 +22,5 @@ Resources: - https://www.virustotal.com/gui/file/fa1443219f210bdcf3a25b311342851f61378536eb11810366468156fbd5c051 Acknowledgements: - Name: Jai Minton + Company: Huntress Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/flexera/fnp_act_installer.yml b/yml/3rd_party/flexera/fnp_act_installer.yml new file mode 100644 index 00000000..f9b24fca --- /dev/null +++ b/yml/3rd_party/flexera/fnp_act_installer.yml @@ -0,0 +1,21 @@ +--- +Name: fnp_act_installer.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Flexera +ExpectedLocations: + - '%PROGRAMFILES%\InstallShield\%VERSION%\System' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\InstallShield\%VERSION%\System\TSConfig.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: InstallShield Activation Wizard + SHA256: + - 'b5f9377bd27fcf48fb3d81d0196021681739f42a198e8340c27d55192d4bd3ac' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/e7b69768215453b2c648d7060161ce9b9eaf1ace631eb2ac11b60a7195e2263e +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/nvidia/libcef.yml b/yml/3rd_party/nvidia/libcef.yml index 5e3c49b9..89262aa5 100644 --- a/yml/3rd_party/nvidia/libcef.yml +++ b/yml/3rd_party/nvidia/libcef.yml @@ -16,4 +16,5 @@ Resources: - https://www.virustotal.com/gui/file/64d0fc47fd77eb300942602a912ea9403960acd4f2ed33a8e325594bf700d65f Acknowledgements: - Name: Matt Anderson + Company: Huntress Twitter: '@nosecurething' diff --git a/yml/3rd_party/oracle/qtcorevbox4.yml b/yml/3rd_party/oracle/qtcorevbox4.yml new file mode 100644 index 00000000..b7e2fd7d --- /dev/null +++ b/yml/3rd_party/oracle/qtcorevbox4.yml @@ -0,0 +1,20 @@ +--- +Name: qtcorevbox4.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Oracle +ExpectedLocations: + - '%PROGRAMFILES%\Oracle\VirtualBox' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Oracle\VirtualBox\VBoxTestOGL.exe' + Type: Sideloading + SHA256: + - 'e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd + - https://www.virustotal.com/gui/file/a6e6b1a47021fa1e4d36b047f5326eb04d5f545907fc6ac3730162a07cc792ff +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/oracle/vboxrt.yml b/yml/3rd_party/oracle/vboxrt.yml new file mode 100644 index 00000000..de1582aa --- /dev/null +++ b/yml/3rd_party/oracle/vboxrt.yml @@ -0,0 +1,21 @@ +--- +Name: vboxrt.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Oracle +ExpectedLocations: + - '%PROGRAMFILES%\Oracle\VirtualBox' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Oracle\VirtualBox\VBoxSVC.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: VirtualBox Interface + SHA256: + - '448402c129a721812fa1c5f279f5ca906b9c8bbca652a91655d144d20ce5e6b4' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/pspad/libeay32.yml b/yml/3rd_party/pspad/libeay32.yml new file mode 100644 index 00000000..763d922e --- /dev/null +++ b/yml/3rd_party/pspad/libeay32.yml @@ -0,0 +1,23 @@ +--- +Name: libeay32.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: PSPad +ExpectedLocations: + - '%PROGRAMFILES%\PSPad editor' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\PSPad editor\PSPad.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: Text editor + SHA256: + - '0a97c374a6cc14b54b01deb3be77b28e274ced8c0627efba6b84712284332a7a' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd + - https://www.virustotal.com/gui/file/7add49ed95d6a9e90988dcbfc54cdb727e0c705e3d79879717849798354e3e25 + - https://www.virustotal.com/gui/file/a13c09f41979df8717a9d39e15e6ce960c1c4ba6af456a563fa3ff1b8b4d388c +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/qfx/keyscramblerie.yml b/yml/3rd_party/qfx/keyscramblerie.yml index 73c2f013..9393d152 100644 --- a/yml/3rd_party/qfx/keyscramblerie.yml +++ b/yml/3rd_party/qfx/keyscramblerie.yml @@ -21,6 +21,7 @@ Resources: - https://www.virustotal.com/gui/file/9cfdc3fe2a10fe2b514fc224c9c8740e1de039d90b9c17f85b64ff29d4a4ebb1 Acknowledgements: - Name: Matt Anderson + Company: Huntress Twitter: '@nosecurething' - Name: Swachchhanda Shrawan Poudel Twitter: '@_swachchhanda_' diff --git a/yml/3rd_party/thinprint/tpsvc.yml b/yml/3rd_party/thinprint/tpsvc.yml new file mode 100644 index 00000000..6c5562a2 --- /dev/null +++ b/yml/3rd_party/thinprint/tpsvc.yml @@ -0,0 +1,21 @@ +--- +Name: tpsvc.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: ThinPrint +ExpectedLocations: + - '%PROGRAMFILES%\VMWare\VMWare Tools' + - '%PROGRAMFILES%\Common Files\ThinPrint' +VulnerableExecutables: + - Path: 'TPAutoConnect.exe' + Type: Sideloading + SHA256: + - 'e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd + - https://www.virustotal.com/gui/file/a6e6b1a47021fa1e4d36b047f5326eb04d5f545907fc6ac3730162a07cc792ff +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/vlc/libvlccore.yml b/yml/3rd_party/vlc/libvlccore.yml new file mode 100644 index 00000000..9f02384e --- /dev/null +++ b/yml/3rd_party/vlc/libvlccore.yml @@ -0,0 +1,19 @@ +--- +Name: libvlccore.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: VLC +ExpectedLocations: + - '%PROGRAMFILES%\VideoLAN\VLC' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\VideoLAN\VLC\vlc.exe' + Type: Sideloading + SHA256: + - 1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937 +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/33c08eeaff6e9aa686a14144cb84d1895f260d28b767a0d2a10dbe427a65d7c0 +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/wireshark/libglib-2.0-0.yml b/yml/3rd_party/wireshark/libglib-2.0-0.yml new file mode 100644 index 00000000..53db9e5f --- /dev/null +++ b/yml/3rd_party/wireshark/libglib-2.0-0.yml @@ -0,0 +1,21 @@ +--- +Name: libglib-2.0-0.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Wireshark +ExpectedLocations: + - '%PROGRAMFILES%\Wireshark' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Wireshark\Mergecap.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: Mergecap + SHA256: + - 'ac7a321a7b00b4adb5863b9a7e91e69afe9ce1953317234a2bd1bee97de744da' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/fcb0272d586fff854ce9b329fbbba26902984a112a1afe96a149dbb2011ad289 +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/3rd_party/wireshark/libwsutil.yml b/yml/3rd_party/wireshark/libwsutil.yml new file mode 100644 index 00000000..d7fda73d --- /dev/null +++ b/yml/3rd_party/wireshark/libwsutil.yml @@ -0,0 +1,22 @@ +--- +Name: libwsutil.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Wireshark +ExpectedLocations: + - '%PROGRAMFILES%\Wireshark' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Wireshark\Mergecap.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: Mergecap + SHA256: + - 'ac7a321a7b00b4adb5863b9a7e91e69afe9ce1953317234a2bd1bee97de744da' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/fcb0272d586fff854ce9b329fbbba26902984a112a1afe96a149dbb2011ad289 + - https://www.virustotal.com/gui/file/e91c4f990c1b0b58d69f3c3e80916463e5cc87011fd418d610c5264f7d5ecc9b +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/microsoft/external/mpgear.yml b/yml/microsoft/external/mpgear.yml new file mode 100644 index 00000000..5b8fe2c2 --- /dev/null +++ b/yml/microsoft/external/mpgear.yml @@ -0,0 +1,20 @@ +--- +Name: mpgear.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Microsoft +ExpectedLocations: + - '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\Classification' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe' + Type: Sideloading + SHA256: + - '8dc4d5deef19fb4da195c270819a6ee283b67408fc9ee187216a0ce80ee61bab' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/1643a9c54e5d730fb0ebf4ab49e6c1d3a09dcd2c3a0282674330346d90990ab0 + - https://www.virustotal.com/gui/file/e1316301e7904a415fdd2a1707d1a48220cce055aab17b36a48e67bf0369edba +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju' diff --git a/yml/microsoft/external/tedutil.yml b/yml/microsoft/external/tedutil.yml new file mode 100644 index 00000000..44a4f6dd --- /dev/null +++ b/yml/microsoft/external/tedutil.yml @@ -0,0 +1,20 @@ +--- +Name: tedutil.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Microsoft +ExpectedLocations: + - '%PROGRAMFILES%\Microsoft SDKs\Windows\%VERSION%\Bin' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Microsoft SDKs\Windows\%VERSION%\Bin\TopoEdit.exe' + Type: Sideloading + SHA256: + - 'b874e5abdd7c008d47560fda4e84db893ac63c18c3a5a450d25f4e62ed8e8d8c' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/eb014e37fdcaf42c93f606058896ccb47eed56be5e1701c7b9744bac0003a8e8/details + - https://learn.microsoft.com/en-us/windows/win32/medfound/topoedit-modules +Acknowledgements: + - Name: Jai Minton + Company: Huntress + Twitter: '@cyberrraiju'