From ca652a88069abfe4f4143dcd593d0d960e53ac81 Mon Sep 17 00:00:00 2001 From: Jai Minton Date: Tue, 16 Apr 2024 11:40:09 +0930 Subject: [PATCH] Update 11 DLLs actively used maliciously ITW --- yml/3rd_party/adobe/sqlite.yml | 21 +++++++++++++++++ yml/3rd_party/flexera/fnp_act_installer.yml | 23 ++++++++++++++++++ yml/3rd_party/oracle/qtcorevbox4.yml | 21 +++++++++++++++++ yml/3rd_party/oracle/vboxrt.yml | 22 +++++++++++++++++ yml/3rd_party/pspad/libeay32.yml | 24 +++++++++++++++++++ yml/3rd_party/thinprint/tpsvc.yml | 26 +++++++++++++++++++++ yml/3rd_party/vlc/libvlccore.yml | 20 ++++++++++++++++ yml/3rd_party/wireshark/libglib-2.0-0.yml | 22 +++++++++++++++++ yml/3rd_party/wireshark/libwsutil.yml | 23 ++++++++++++++++++ yml/microsoft/external/mpgear.yml | 22 +++++++++++++++++ yml/microsoft/external/tedutil.yml | 22 +++++++++++++++++ 11 files changed, 246 insertions(+) create mode 100644 yml/3rd_party/adobe/sqlite.yml create mode 100644 yml/3rd_party/flexera/fnp_act_installer.yml create mode 100644 yml/3rd_party/oracle/qtcorevbox4.yml create mode 100644 yml/3rd_party/oracle/vboxrt.yml create mode 100644 yml/3rd_party/pspad/libeay32.yml create mode 100644 yml/3rd_party/thinprint/tpsvc.yml create mode 100644 yml/3rd_party/vlc/libvlccore.yml create mode 100644 yml/3rd_party/wireshark/libglib-2.0-0.yml create mode 100644 yml/3rd_party/wireshark/libwsutil.yml create mode 100644 yml/microsoft/external/mpgear.yml create mode 100644 yml/microsoft/external/tedutil.yml diff --git a/yml/3rd_party/adobe/sqlite.yml b/yml/3rd_party/adobe/sqlite.yml new file mode 100644 index 00000000..425eec32 --- /dev/null +++ b/yml/3rd_party/adobe/sqlite.yml @@ -0,0 +1,21 @@ +--- +Name: sqlite.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Adobe +ExpectedLocations: + - '%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe' + Type: Sideloading + SHA256: + - 1f64f01063b26bf05d4b076d54816e54dacd08b7fd6e5bc9cc5d11a548ff2215 +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/1f64f01063b26bf05d4b076d54816e54dacd08b7fd6e5bc9cc5d11a548ff2215 + - https://www.virustotal.com/gui/file/802bad293e5d5e75ffac3df3dd5301315a886534011871275a1b41c9cec1f298 +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/flexera/fnp_act_installer.yml b/yml/3rd_party/flexera/fnp_act_installer.yml new file mode 100644 index 00000000..17180ae5 --- /dev/null +++ b/yml/3rd_party/flexera/fnp_act_installer.yml @@ -0,0 +1,23 @@ +--- +Name: fnp_act_installer.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Flexera +ExpectedLocations: + - '%PROGRAMFILES%\InstallShield\%VERSION%\System' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\InstallShield\%VERSION%\System\TSConfig.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: InstallShield Activation Wizard + SHA256: + - 'b5f9377bd27fcf48fb3d81d0196021681739f42a198e8340c27d55192d4bd3ac' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/b5f9377bd27fcf48fb3d81d0196021681739f42a198e8340c27d55192d4bd3ac + - https://www.virustotal.com/gui/file/e7b69768215453b2c648d7060161ce9b9eaf1ace631eb2ac11b60a7195e2263e +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/oracle/qtcorevbox4.yml b/yml/3rd_party/oracle/qtcorevbox4.yml new file mode 100644 index 00000000..beb3b151 --- /dev/null +++ b/yml/3rd_party/oracle/qtcorevbox4.yml @@ -0,0 +1,21 @@ +--- +Name: qtcorevbox4.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Oracle +ExpectedLocations: + - '%PROGRAMFILES%\Oracle\VirtualBox' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Oracle\VirtualBox\VBoxTestOGL.exe' + Type: Sideloading + SHA256: + - 'e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd + - https://www.virustotal.com/gui/file/a6e6b1a47021fa1e4d36b047f5326eb04d5f545907fc6ac3730162a07cc792ff +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/oracle/vboxrt.yml b/yml/3rd_party/oracle/vboxrt.yml new file mode 100644 index 00000000..9e8a8772 --- /dev/null +++ b/yml/3rd_party/oracle/vboxrt.yml @@ -0,0 +1,22 @@ +--- +Name: vboxrt.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Oracle +ExpectedLocations: + - '%PROGRAMFILES%\Oracle\VirtualBox' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Oracle\VirtualBox\VBoxSVC.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: VirtualBox Interface + SHA256: + - '448402c129a721812fa1c5f279f5ca906b9c8bbca652a91655d144d20ce5e6b4' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/pspad/libeay32.yml b/yml/3rd_party/pspad/libeay32.yml new file mode 100644 index 00000000..d8871362 --- /dev/null +++ b/yml/3rd_party/pspad/libeay32.yml @@ -0,0 +1,24 @@ +--- +Name: libeay32.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: PSPad +ExpectedLocations: + - '%PROGRAMFILES%\PSPad editor' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\PSPad editor\PSPad.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: Text editor + SHA256: + - '0a97c374a6cc14b54b01deb3be77b28e274ced8c0627efba6b84712284332a7a' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd + - https://www.virustotal.com/gui/file/7add49ed95d6a9e90988dcbfc54cdb727e0c705e3d79879717849798354e3e25 + - https://www.virustotal.com/gui/file/a13c09f41979df8717a9d39e15e6ce960c1c4ba6af456a563fa3ff1b8b4d388c +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/thinprint/tpsvc.yml b/yml/3rd_party/thinprint/tpsvc.yml new file mode 100644 index 00000000..04603ca5 --- /dev/null +++ b/yml/3rd_party/thinprint/tpsvc.yml @@ -0,0 +1,26 @@ +--- +Name: tpsvc.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: ThinPrint +ExpectedLocations: + - '%PROGRAMFILES%\VMWare\VMWare Tools' + - '%PROGRAMFILES%\Common Files\ThinPrint' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\VMWare\VMWare Tools\TPAutoConnect.exe' + Type: Sideloading + SHA256: + - 'e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f' + - Path: '%PROGRAMFILES%\Common Files\ThinPrint\TPAutoConnect.exe' + Type: Sideloading + SHA256: + - 'e631bf67c349ce3afc7d5960b0247af9466292bc314ff393dee0716f3a50fd5f' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/cf801023465679ec34084bdb1adb9f54b2fc3130925a4b8fdc10b11639b4a7cd + - https://www.virustotal.com/gui/file/a6e6b1a47021fa1e4d36b047f5326eb04d5f545907fc6ac3730162a07cc792ff +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/vlc/libvlccore.yml b/yml/3rd_party/vlc/libvlccore.yml new file mode 100644 index 00000000..bba2b270 --- /dev/null +++ b/yml/3rd_party/vlc/libvlccore.yml @@ -0,0 +1,20 @@ +--- +Name: libvlccore.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: VLC +ExpectedLocations: + - '%PROGRAMFILES%\VideoLAN\VLC' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\VideoLAN\VLC\vlc.exe' + Type: Sideloading + SHA256: + - 1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937 +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/33c08eeaff6e9aa686a14144cb84d1895f260d28b767a0d2a10dbe427a65d7c0 +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/wireshark/libglib-2.0-0.yml b/yml/3rd_party/wireshark/libglib-2.0-0.yml new file mode 100644 index 00000000..0ec26b13 --- /dev/null +++ b/yml/3rd_party/wireshark/libglib-2.0-0.yml @@ -0,0 +1,22 @@ +--- +Name: libglib-2.0-0.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Wireshark +ExpectedLocations: + - '%PROGRAMFILES%\Wireshark' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Wireshark\Mergecap.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: Mergecap + SHA256: + - 'ac7a321a7b00b4adb5863b9a7e91e69afe9ce1953317234a2bd1bee97de744da' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/fcb0272d586fff854ce9b329fbbba26902984a112a1afe96a149dbb2011ad289 +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/3rd_party/wireshark/libwsutil.yml b/yml/3rd_party/wireshark/libwsutil.yml new file mode 100644 index 00000000..31c93e67 --- /dev/null +++ b/yml/3rd_party/wireshark/libwsutil.yml @@ -0,0 +1,23 @@ +--- +Name: libwsutil.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Wireshark +ExpectedLocations: + - '%PROGRAMFILES%\Wireshark' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Wireshark\Mergecap.exe' + Type: Sideloading + ExpectedVersionInformation: + - FileDescription: Mergecap + SHA256: + - 'ac7a321a7b00b4adb5863b9a7e91e69afe9ce1953317234a2bd1bee97de744da' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/fcb0272d586fff854ce9b329fbbba26902984a112a1afe96a149dbb2011ad289 + - https://www.virustotal.com/gui/file/e91c4f990c1b0b58d69f3c3e80916463e5cc87011fd418d610c5264f7d5ecc9b +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/microsoft/external/mpgear.yml b/yml/microsoft/external/mpgear.yml new file mode 100644 index 00000000..dc1feac1 --- /dev/null +++ b/yml/microsoft/external/mpgear.yml @@ -0,0 +1,22 @@ +--- +Name: mpgear.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Microsoft +ExpectedLocations: + - '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\Classification' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Windows Defender Advanced Threat Protection\Classification\SenseCE.exe' + Type: Sideloading + SHA256: + - '8dc4d5deef19fb4da195c270819a6ee283b67408fc9ee187216a0ce80ee61bab' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/8dc4d5deef19fb4da195c270819a6ee283b67408fc9ee187216a0ce80ee61bab + - https://www.virustotal.com/gui/file/1643a9c54e5d730fb0ebf4ab49e6c1d3a09dcd2c3a0282674330346d90990ab0 + - https://www.virustotal.com/gui/file/e1316301e7904a415fdd2a1707d1a48220cce055aab17b36a48e67bf0369edba +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs' diff --git a/yml/microsoft/external/tedutil.yml b/yml/microsoft/external/tedutil.yml new file mode 100644 index 00000000..79261884 --- /dev/null +++ b/yml/microsoft/external/tedutil.yml @@ -0,0 +1,22 @@ +--- +Name: tedutil.dll +Author: Jai Minton - HuntressLabs +Created: 2024-04-15 +Vendor: Microsoft +ExpectedLocations: + - '%PROGRAMFILES%\Microsoft SDKs\Windows\%VERSION%\Bin' +VulnerableExecutables: + - Path: '%PROGRAMFILES%\Microsoft SDKs\Windows\%VERSION%\Bin\TopoEdit.exe' + Type: Sideloading + SHA256: + - 'b874e5abdd7c008d47560fda4e84db893ac63c18c3a5a450d25f4e62ed8e8d8c' +Resources: + - https://asec.ahnlab.com/en/58319/ + - https://www.virustotal.com/gui/file/b874e5abdd7c008d47560fda4e84db893ac63c18c3a5a450d25f4e62ed8e8d8c + - https://www.virustotal.com/gui/file/eb014e37fdcaf42c93f606058896ccb47eed56be5e1701c7b9744bac0003a8e8/details + - https://learn.microsoft.com/en-us/windows/win32/medfound/topoedit-modules +Acknowledgements: + - Name: Jai Minton + Twitter: '@cyberrraiju' + - Name: Huntress + Twitter: '@HuntressLabs'