A new backdoor named Yokai has been discovered targeting Thai officials. The malware is distributed via RAR files containing shortcut files that create decoy documents and execute a dropper. The dropper deploys a legitimate iTop Data Recovery application used to side-load the Yokai backdoor DLL. Yokai creates scheduled tasks, collects system information, and communicates with command and control servers to receive commands and exfiltrate data. It uses encryption and checksum validation for C2 communication. The backdoor provides remote shell access and can execute arbitrary commands. This attack demonstrates the continued use of DLL side-loading techniques by threat actors to evade detection. Author: AlienVault
Related Tags:
T1564.004
T1573.001
Thailand
T1559
T1574.002
T1071.001
dropper
T1480
backdoor
Associated Indicators:
F361F5EC213B861DC4A76EB2835D70E6739321539AD216EA5DC416C1DC026528
2852223EB40CF0DAE4111BE28CE37CE9AF23E5332FB78B47C8F5568D497D2611
C74F67BB13A79AE8C111095F18B57A10E63D9F8BFBFFEC8859C61360083CE43E
24509EB64A11F7E21FEEB667B1D70520B1B1DB8345D0E6502B657D416EF81A4D
EAAE6D5DBF40239FB5ABFA2918286F4039A3A0FCD28276A41281957F6D850456
3E5CFE768817DA9A78B63EFAD9E60D2D300727A97476EDF87BE088FB26F06500
248C50331F375E7E73F010E4158EC2DB8835A4373DA2687AB75E8A73FDE795F0
http://49.231.18.150:80/research/files/index.php
http://191.police.go.th:443/Assessment/Report/PDF/default.php