Malware peddlers experimenting with BPL sideloading and masking malicious payloads as PGP keys
A newly spotted campaign is leveraging BPL sideloading and other uncommon tricks to deliver the IDAT Loader (aka HijackLoader) malware and prevent its detection.
The campaign
Spotted by Kroll’s incident responders and analyzed by the company’s Cyber Threat Intelligence (CTI) team, the campaign involves:
- A Bollywood pirate movie download site pointing to page hosted on the Bunny content delivery platform, which in turn points to a ZIP file
- Within that ZIP file, another password-protected ZIP file and a text file with the password
- Within that second ZIP file, a LNK file and a decoy “trailer” video file
“The LNK file triggered the first element of the novel technique used in this infection chain for distributing IDAT Loader. The LNK file was using mshta.exe to execute what appeared to be a ‘PGP Secret Key,’ hosted again on Bunny CDN,” Kroll’s threat analysts found.
Static analysis of that file showed that it was, in fact, not a PGP key, but a combination of junk bytes, an embedded HTA file and an embedded EXE file.
“The reason the file is being interpreted by tooling as a PGP key is simply because the first two bytes of the file are the magic bytes for a ‘PGP Secret Sub-key’. The embedded EXE file is the legitimate calc.exe supplied with the Windows operating system, likely to add known good indicators for bypassing AI/ML detections.”
Mshta.exe executes the heavily obfuscated HTA code, which downloads two ZIP files: K1.zip and K2.zip.
The contents of the two ZIP files (Source: Kroll)
The K2 archive contains just jdekl.exe, a renamed copy of a legitimate signed executable (RttHlp.exe, by IOBit).
K1 contains several files, most of which are irrelevant. The relevant one is the VCL120.BPL file, which contains the malicious code.
BPL (instead of DLL) sideloading
“A BPL (Borland Package Library) file is similar to a DLL file. Since both archives are unzipped in the same location by the initial script, when the EXE in K2 is executed it will automatically load the malicious BPL in K1,” Dave Truman, Vice President, Cyber Risk Business Kroll, told Help Net Security.
“Sideloading a malicious BPL into a signed EXE allows for malicious code to run in a more trusted executable, which are allowed to run more freely than non-signed, not previously seen, binaries. Organizations are already aware of DLL sideloading so may have detection rules in place looking for suspicious DLL usage, but by using a BPL for BPL sideloading the actor might bypass these rules.”
He noted that using two ZIP archives also makes detection harder. Both would be needed to trigger malicious activity; sandbox detonation of either individual ZIP will do nothing.
The company has shared indicators of compromise and advises enterprises to put rules in place to detect abnormal mshta.exe behavior, and to consider blocking execution or removing MSHTA altogether.