Recent attacks have leveraged AppDomainManager Injection to execute malware, a technique first publicized in 2017. Despite the availability of PoCs and explanatory blogs, actual instances of this attack are rare.
Concerns have arisen about the potential for nation-state-sponsored groups to exploit this method, leading to its increased prevalence in the future. Understanding the mechanics and risks associated with AppDomainManager injection is crucial for implementing effective countermeasures.
The attackers are employing two strategies to compromise systems: downloading a malicious ZIP file from a compromised website or attaching it to phishing emails. Both methods deliver a ZIP file containing a harmful MSC file.
When opened, the MSC file leverages the GrimResource technique to exploit vulnerabilities in the system, potentially leading to unauthorized access or data theft.
GrimResource is a new technique that allows attackers to execute malicious actions without user interaction when opening MSC files. Unlike conventional malicious MSC files that require the user to click on a link, it eliminates this step, making it easier for attackers to compromise systems.
The MSC files can be configured to display icons similar to legitimate file types, such as PDF or Windows certificate files, further disguising their malicious nature, which poses a significant security risk as users may inadvertently open these files, leading to infection.
It leverages GrimResource to extract embedded JavaScript code from the apds.dll file, which ultimately executes a VBScript that downloads and saves four files.
One of these files, oncesvc.exe, is a legitimate Microsoft dfsvc.exe file with a modified name, which is then executed, potentially allowing the malicious code to gain unauthorized access or execute harmful actions on the compromised system.
The attacker exploits the version redirection feature in the oncesvc.exe.config file to load an external DLL containing a class that inherits from AppDomainManager and execute malicious code within the InitializeNewDomain function of this class, potentially gaining unauthorized access or performing harmful actions.
AppDomainManager Injection leverages .NET Framework redirection to load malicious DLLs under the guise of legitimate applications, which exploits the AppDomainManager class to effectively execute malicious code within the context of the targeted application.
Unlike DLL side-loading, which requires more complex manipulation, AppDomainManager injection is relatively straightforward and can be achieved by simply modifying the application’s exe.config file.
According to JP Security, given its wide applicability and ease of use, there is growing concern that this technique may be exploited more frequently in future attacks.
The attackers in this campaign employed AppDomainManager Injection to execute malware, similar to the tactics used by APT41, which pose a significant threat due to its difficulty in detection.
Their targets include government agencies in Taiwan, the military in the Philippines, and energy organizations in Vietnam, suggesting a focus on countries bordering the South China Sea.
The use of a decoy document related to Japan’s defense power indicates a potential expansion of their targets in the future. Organizations should prioritize implementing detection mechanisms for AppDomainManager injection attacks to mitigate the risks associated with this evolving threat.