Update 11 DLLs actively used maliciously ITW

wietze · Apr 16, 2024 · ca652a8 · ca652a8
1 parent 2412a36
commit ca652a8
Show file tree

Hide file tree

Showing 11 changed files with 246 additions and 0 deletions.
diff --git a/yml/3rd_party/adobe/sqlite.yml b/yml/3rd_party/adobe/sqlite.yml
@@ -0,0 +1,21 @@
+---
+Name: sqlite.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: Adobe
+ExpectedLocations:
+  - '%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe'
+    Type: Sideloading
+    SHA256:
+      - 1f64f01063b26bf05d4b076d54816e54dacd08b7fd6e5bc9cc5d11a548ff2215
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/1f64f01063b26bf05d4b076d54816e54dacd08b7fd6e5bc9cc5d11a548ff2215
+  - https://www.virustotal.com/gui/file/802bad293e5d5e75ffac3df3dd5301315a886534011871275a1b41c9cec1f298
+Acknowledgements:
+  - Name: Jai Minton
+    Twitter: '@cyberrraiju'
+  - Name: Huntress
+    Twitter: '@HuntressLabs'
diff --git a/yml/3rd_party/flexera/fnp_act_installer.yml b/yml/3rd_party/flexera/fnp_act_installer.yml
@@ -0,0 +1,23 @@
+---
+Name: fnp_act_installer.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: Flexera
+ExpectedLocations:
+  - '%PROGRAMFILES%\InstallShield\%VERSION%\System'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\InstallShield\%VERSION%\System\TSConfig.exe'
+    Type: Sideloading
+    ExpectedVersionInformation:
+      - FileDescription: InstallShield Activation Wizard
+    SHA256:
+      - 'b5f9377bd27fcf48fb3d81d0196021681739f42a198e8340c27d55192d4bd3ac'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/b5f9377bd27fcf48fb3d81d0196021681739f42a198e8340c27d55192d4bd3ac
+  - https://www.virustotal.com/gui/file/e7b69768215453b2c648d7060161ce9b9eaf1ace631eb2ac11b60a7195e2263e
+Acknowledgements:
+  - Name: Jai Minton
+    Twitter: '@cyberrraiju'
+  - Name: Huntress
+    Twitter: '@HuntressLabs'
diff --git a/yml/3rd_party/oracle/qtcorevbox4.yml b/yml/3rd_party/oracle/qtcorevbox4.yml
@@ -0,0 +1,21 @@
+---
+Name: qtcorevbox4.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: Oracle
+ExpectedLocations:
+  - '%PROGRAMFILES%\Oracle\VirtualBox'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\Oracle\VirtualBox\VBoxTestOGL.exe'
+    Type: Sideloading
+    SHA256:
+      - 'e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd
+  - https://www.virustotal.com/gui/file/a6e6b1a47021fa1e4d36b047f5326eb04d5f545907fc6ac3730162a07cc792ff
+Acknowledgements:
+  - Name: Jai Minton
+    Twitter: '@cyberrraiju'
+  - Name: Huntress
+    Twitter: '@HuntressLabs'
diff --git a/yml/3rd_party/oracle/vboxrt.yml b/yml/3rd_party/oracle/vboxrt.yml
@@ -0,0 +1,22 @@
+---
+Name: vboxrt.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: Oracle
+ExpectedLocations:
+  - '%PROGRAMFILES%\Oracle\VirtualBox'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\Oracle\VirtualBox\VBoxSVC.exe'
+    Type: Sideloading
+    ExpectedVersionInformation:
+      - FileDescription: VirtualBox Interface
+    SHA256:
+      - '448402c129a721812fa1c5f279f5ca906b9c8bbca652a91655d144d20ce5e6b4'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd
+Acknowledgements:
+  - Name: Jai Minton
+    Twitter: '@cyberrraiju'
+  - Name: Huntress
+    Twitter: '@HuntressLabs'
diff --git a/yml/3rd_party/pspad/libeay32.yml b/yml/3rd_party/pspad/libeay32.yml
@@ -0,0 +1,24 @@
+---
+Name: libeay32.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: PSPad
+ExpectedLocations:
+  - '%PROGRAMFILES%\PSPad editor'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\PSPad editor\PSPad.exe'
+    Type: Sideloading
+    ExpectedVersionInformation:
+      - FileDescription: Text editor
+    SHA256:
+      - '0a97c374a6cc14b54b01deb3be77b28e274ced8c0627efba6b84712284332a7a'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd
+  - https://www.virustotal.com/gui/file/7add49ed95d6a9e90988dcbfc54cdb727e0c705e3d79879717849798354e3e25
+  - https://www.virustotal.com/gui/file/a13c09f41979df8717a9d39e15e6ce960c1c4ba6af456a563fa3ff1b8b4d388c
+Acknowledgements:
+  - Name: Jai Minton
+    Twitter: '@cyberrraiju'
+  - Name: Huntress
+    Twitter: '@HuntressLabs'
diff --git a/yml/3rd_party/thinprint/tpsvc.yml b/yml/3rd_party/thinprint/tpsvc.yml
@@ -0,0 +1,26 @@
+---
+Name: tpsvc.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: ThinPrint
+ExpectedLocations:
+  - '%PROGRAMFILES%\VMWare\VMWare Tools'
+  - '%PROGRAMFILES%\Common Files\ThinPrint'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\VMWare\VMWare Tools\TPAutoConnect.exe'
+    Type: Sideloading
+    SHA256:
+      - 'e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f'
+  - Path: '%PROGRAMFILES%\Common Files\ThinPrint\TPAutoConnect.exe'
+    Type: Sideloading
+    SHA256:
+      - 'e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd
+  - https://www.virustotal.com/gui/file/a6e6b1a47021fa1e4d36b047f5326eb04d5f545907fc6ac3730162a07cc792ff
+Acknowledgements:
+  - Name: Jai Minton
+    Twitter: '@cyberrraiju'
+  - Name: Huntress
+    Twitter: '@HuntressLabs'
diff --git a/yml/3rd_party/vlc/libvlccore.yml b/yml/3rd_party/vlc/libvlccore.yml
@@ -0,0 +1,20 @@
+---
+Name: libvlccore.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: VLC
+ExpectedLocations:
+  - '%PROGRAMFILES%\VideoLAN\VLC'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\VideoLAN\VLC\vlc.exe'
+    Type: Sideloading
+    SHA256:
+      - 1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/33c08eeaff6e9aa686a14144cb84d1895f260d28b767a0d2a10dbe427a65d7c0
+Acknowledgements:
+  - Name: Jai Minton
+    Twitter: '@cyberrraiju'
+  - Name: Huntress
+    Twitter: '@HuntressLabs'
diff --git a/yml/3rd_party/wireshark/libglib-2.0-0.yml b/yml/3rd_party/wireshark/libglib-2.0-0.yml
@@ -0,0 +1,22 @@
+---
+Name: libglib-2.0-0.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: Wireshark
+ExpectedLocations:
+  - '%PROGRAMFILES%\Wireshark'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\Wireshark\Mergecap.exe'
+    Type: Sideloading
+    ExpectedVersionInformation:
+      - FileDescription: Mergecap
+    SHA256:
+      - 'ac7a321a7b00b4adb5863b9a7e91e69afe9ce1953317234a2bd1bee97de744da'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/fcb0272d586fff854ce9b329fbbba26902984a112a1afe96a149dbb2011ad289
+Acknowledgements:
+  - Name: Jai Minton
+    Twitter: '@cyberrraiju'
+  - Name: Huntress
+    Twitter: '@HuntressLabs'
diff --git a/yml/3rd_party/wireshark/libwsutil.yml b/yml/3rd_party/wireshark/libwsutil.yml
@@ -0,0 +1,23 @@
+---
+Name: libwsutil.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: Wireshark
+ExpectedLocations:
+  - '%PROGRAMFILES%\Wireshark'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\Wireshark\Mergecap.exe'
+    Type: Sideloading
+    ExpectedVersionInformation:
+      - FileDescription: Mergecap
+    SHA256:
+      - 'ac7a321a7b00b4adb5863b9a7e91e69afe9ce1953317234a2bd1bee97de744da'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/fcb0272d586fff854ce9b329fbbba26902984a112a1afe96a149dbb2011ad289
+  - https://www.virustotal.com/gui/file/e91c4f990c1b0b58d69f3c3e80916463e5cc87011fd418d610c5264f7d5ecc9b
+Acknowledgements:
+  - Name: Jai Minton
+    Twitter: '@cyberrraiju'
+  - Name: Huntress
+    Twitter: '@HuntressLabs'
diff --git a/yml/microsoft/external/mpgear.yml b/yml/microsoft/external/mpgear.yml
@@ -0,0 +1,22 @@
+---
+Name: mpgear.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: Microsoft
+ExpectedLocations:
+  - '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\Classification'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe'
+    Type: Sideloading
+    SHA256:
+      - '8dc4d5deef19fb4da195c270819a6ee283b67408fc9ee187216a0ce80ee61bab'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/8dc4d5deef19fb4da195c270819a6ee283b67408fc9ee187216a0ce80ee61bab
+  - https://www.virustotal.com/gui/file/1643a9c54e5d730fb0ebf4ab49e6c1d3a09dcd2c3a0282674330346d90990ab0
+  - https://www.virustotal.com/gui/file/e1316301e7904a415fdd2a1707d1a48220cce055aab17b36a48e67bf0369edba
+Acknowledgements:
+  - Name: Jai Minton
+    Twitter: '@cyberrraiju'
+  - Name: Huntress
+    Twitter: '@HuntressLabs'
diff --git a/yml/microsoft/external/tedutil.yml b/yml/microsoft/external/tedutil.yml
@@ -0,0 +1,22 @@
+---
+Name: tedutil.dll
+Author: Jai Minton - HuntressLabs
+Created: 2024-04-15
+Vendor: Microsoft
+ExpectedLocations:
+  - '%PROGRAMFILES%\Microsoft SDKs\Windows\%VERSION%\Bin'
+VulnerableExecutables:
+  - Path: '%PROGRAMFILES%\Microsoft SDKs\Windows\%VERSION%\Bin\TopoEdit.exe'
+    Type: Sideloading
+    SHA256:
+      - 'b874e5abdd7c008d47560fda4e84db893ac63c18c3a5a450d25f4e62ed8e8d8c'
+Resources:
+  - https://asec.ahnlab.com/en/58319/
+  - https://www.virustotal.com/gui/file/b874e5abdd7c008d47560fda4e84db893ac63c18c3a5a450d25f4e62ed8e8d8c
+  - https://www.virustotal.com/gui/file/eb014e37fdcaf42c93f606058896ccb47eed56be5e1701c7b9744bac0003a8e8/details
+  - https://learn.microsoft.com/en-us/windows/win32/medfound/topoedit-modules
+Acknowledgements:
+  - Name: Jai Minton
+    Twitter: '@cyberrraiju'
+  - Name: Huntress
+    Twitter: '@HuntressLabs'