The analysis presented details a sophisticated malware ecosystem developed by a Chinese-speaking threat actor for deploying BadIIS, a type of web shell that facilitates unauthorized access to compromised servers. This system includes multiple tools designed to install and manage the BadIIS payload on target machines, each with unique capabilities aimed at evading detection and ensuring persistence.
Key Components
-
DLL Packaged into EXE (moduleinit.pdb)
- This component is likely a loader or injector that embeds DLL files within an executable for stealthy deployment.
-
Install Tools (install.pdb, service.pdb)
- These tools are responsible for installing BadIIS on target machines. They use various methods to ensure persistence and evade detection:
- Service Registration: The malware registers as a Windows service named "Winlogin" to maintain persistence across system reboots.
- C2 Communication: It establishes connections with command-and-control (C2) servers for downloading additional payloads or receiving instructions.
- Obfuscation Techniques: Double Base64 encoding is used to obfuscate C2 server addresses and commands, making it harder for security products to detect malicious activity.
- These tools are responsible for installing BadIIS on target machines. They use various methods to ensure persistence and evade detection:
-
**Configuration-Driven
Read the full article at Cisco Talos
Want to create content about this topic? Use Nemati AI tools to generate articles, social posts, and more.
8
Tags
Contents
Ali NematiWritten by Ali
