Threat Intelligence

AppDomain Manager Injection exploited for Cobalt Strike beacon delivery

System hacked warning alert on laptop computer. Cyber attack on computer network, virus, spyware, malware or malicious software. Cyber security and cybercrime concept. System security technology (3)

Sliver malware spread by SimpleHelp RMM exploits. (Adobe Stock)

Taiwanese government agencies, Vietnamese energy entities, and the Philippine military have been subjected to new intrusions deploying Cobalt Strike beacons through the AppDomain Manager Injection technique akin to DLL side-loading since last month, reports BleepingComputer.

Attackers distributed a ZIP file with a malicious Microsoft Script Component file, which when opened facilitated code execution via the GrimSource attack technique involving the utilization of an apds.dll cross-site scripting flaw to enable malicious JavaScript execution, according to an NTT report. Such an MSC file also allowed the creation of a configuration file that redirects to a DLL with a class also found on the AppDomain Manager class of the .NET Framework, which then executes code to evade security defenses and ultimately allow Cobalt Strike beacon injection for additional malicious activity, said NTT researchers. Threat actors' concurrent utilization of the AppDomain Manager Injection and GrimSource attack methods suggest their technical sophistication, researchers added.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Deauthentication AttackDenial of ServiceDictionary AttackDistributed ScansDomain HijackingFault Line AttacksGoogle HackingHybrid AttackInformation WarfarePassword Cracking

You can skip this ad in 5 seconds