A new backdoor malware named Yokai has been identified targeting Thai officials. This sophisticated threat is distributed through RAR archives containing shortcut files that generate decoy documents while executing a dropper. The dropper installs a legitimate iTop Data Recovery application, which is then exploited to side-load the Yokai backdoor DLL.

Once deployed, Yokai establishes scheduled tasks, gathers system information, and communicates with its command-and-control (C2) servers to receive instructions and exfiltrate data. Leveraging encryption and checksum validation, it ensures secure communication with its C2 infrastructure. This backdoor also enables remote shell access and arbitrary command execution, making it a versatile tool for threat actors.

This incident underscores the persistent use of DLL side-loading techniques by cyber adversaries to bypass detection mechanisms.

Initial Infection Vector:

The attack begins with spear-phishing emails containing RAR archive attachments. These archives include shortcut files (.lnk) that, when executed, perform two primary actions:

1. Decoy Document Presentation: A legitimate-looking document is opened to deceive the user into believing that the file is harmless.
2. Dropper Execution: Simultaneously, a dropper is executed in the background. This dropper is responsible for deploying the next stage of the malware.

DLL Side-Loading Mechanism:

The dropper installs a legitimate application, specifically the iTop Data Recovery tool. Alongside this legitimate executable, a malicious DLL named sqlite3.dll is placed in the same directory. This setup exploits the DLL side-loading technique, where the legitimate application inadvertently loads the malicious DLL due to the way Windows searches for required DLLs. This method allows the malware to execute under the guise of a trusted application, thereby evading security measures.

Netskope

Persistence and Command & Control (C2) Communication:

Once active, Yokai establishes persistence by creating scheduled tasks that ensure its execution upon system startup or at predefined intervals. It gathers system information and initiates communication with its C2 servers. The communication is secured using encryption and checksum validation to prevent interception and ensure data integrity. Through this channel, the backdoor can receive commands from the attackers, including:

• Remote Shell Access: Providing the capability to execute arbitrary commands on the infected system.
• Data Exfiltration: Allowing the transfer of collected data back to the attackers.

Technical Specifications:

• Malicious DLL: sqlite3.dll
• Legitimate Application: iTop Data Recovery (IdrInit.exe)
• Persistence Mechanism: Scheduled tasks
• C2 Communication: Encrypted with checksum validation

Implications:

The use of DLL side-loading in this attack highlights a persistent tactic among threat actors to bypass security defenses by leveraging legitimate software. By embedding malicious code within trusted applications, attackers can maintain a low profile, making detection and remediation more challenging.

CrowdStrike

Recommendations:

• User Awareness: Educate users about the dangers of opening unsolicited email attachments, even if they appear legitimate.
• Application Monitoring: Implement monitoring to detect unusual behaviors in legitimate applications, such as unexpected DLL loads.
• Security Policies: Enforce strict policies regarding the execution of applications and the loading of DLLs, potentially utilizing application whitelisting to prevent unauthorized code from running.
• Regular Updates: Ensure all software, including security tools, are regularly updated to recognize and defend against the latest threats.

By understanding the technical intricacies of the Yokai backdoor and its deployment methods, organizations can better prepare and implement defenses against such sophisticated attacks.