This threaded function we named DllMainThread is executed without any additional arguments being provided to it.Ī couple of things occur in the above code: The DllMain Entry PointĪs can be seen in the following capture, the DllMain function simply executes another function by creating a new thread. Throughout the following analysis functions and variables have been renamed to reflect their usage and improve clarity. The system also calls the entry-point function for a DLL when it is loaded or unloaded using the LoadLibrary and FreeLibrary functions. When the system starts or terminates a process or thread, it calls the entry-point function for each loaded DLL using the first thread of the process.
While technically the malicious execution can occur in any of the 8 functions, malicious code commonly resides in the DllMain function given, besides TLS callbacks, it is the function most likely to execute.ĭllMain: An optional entry point into a dynamic-link library (DLL). List of available entry points as displayed in IDA. With this knowledge, we can already expect some known entry points to be exposed by the DLL.
Analysis of the document uncovered the intention to persist a Cobalt Strike stager through Component Object Model Hijacking.ĭuring my free time I enjoy analyzing samples NVISO spots in-the-wild, and hence further dissected the Cobalt Strike DLL payload.
What caught our attention, besides leveraging an actual job offer, was the presence of execution-guardrails in the malicious document. The reported email was an application for one of the company’s public job offers and attempted to deliver a malicious document. While no harm was done, we commonly identify any related indicators to ensure additional monitoring of the actor.
The attempt was spotted at its earliest stage following an employee’s report concerning a suspicious email. NVISO recently monitored a targeted campaign against one of its customers in the financial sector.