Security News > 2024 > June > Malware peddlers experimenting with BPL sideloading and masking malicious payloads as PGP keys

"The LNK file triggered the first element of the novel technique used in this infection chain for distributing IDAT Loader. The LNK file was using mshta.exe to execute what appeared to be a 'PGP Secret Key,' hosted again on Bunny CDN," Kroll's threat analysts found.

Static analysis of that file showed that it was not a PGP key, but a combination of junk bytes, an embedded HTA file and an embedded EXE file.

"The reason the file is being interpreted by tooling as a PGP key is simply because the first two bytes of the file are the magic bytes for a 'PGP Secret Sub-key'. The embedded EXE file is the legitimate calc.exe supplied with the Windows operating system, likely to add known good indicators for bypassing AI/ML detections."

Exe executes the heavily obfuscated HTA code, which downloads two ZIP files: K1.zip and K2.zip.

"A BPL file is similar to a DLL file. Since both archives are unzipped in the same location by the initial script, when the EXE in K2 is executed it will automatically load the malicious BPL in K1," Dave Truman, Vice President, Cyber Risk Business Kroll, told Help Net Security.

"Sideloading a malicious BPL into a signed EXE allows for malicious code to run in a more trusted executable, which are allowed to run more freely than non-signed, not previously seen, binaries. Organizations are already aware of DLL sideloading so may have detection rules in place looking for suspicious DLL usage, but by using a BPL for BPL sideloading the actor might bypass these rules."

News URL

https://www.helpnetsecurity.com/2024/06/26/malware-bpl-sideloading/