noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

State of Illinois

As Respiratory Virus Season Winds Down, Virus Levels Continue Downward[...]
Calfee Halter & Griswold LLP

The Securities Compliance Podcast Season 5 Episode 2 – The CCO's Toolkit
The Boeing Company

Boeing, GKN Aerospace Close Deal for St. Louis Site

Technology

BlackBerry Ltd.

05/19/2022 | Press release | Distributed by Public on 05/19/2022 15:05

.NET Stubs: Sowing the Seeds of Discord

Earlier this year, as the rest of the world was just beginning to turn a concerned eye to unsettling military actions in Ukraine, the security industry's attention was trained on malicious cyber activity in the country. When the WhisperGate wiper was discovered - a multi-staged malicious wiper disguised as ransomware - researchers dug in to see what we could learn about the techniques used by its authors, and what it could teach us about the threat landscape in general.

In this post, we'll retrace our steps down a surprising rabbit hole that was revealed while examining this momentous malware. We'll discuss what we found, and what it can tell us about the methods threat actors are finding useful to accomplish their nefarious actions.

Analysis of the WhisperGate malware wiper targeting Ukraine in early 2022 first shone a light on using a Microsoft Intermediate Language (MSIL) stub as a delivery mechanism for the malware, which was abusing the Discord content delivery network (CDN). When we investigated these stubs further and looked for others like them, we found them to be used in the delivery of a far larger array of commodity .NET-based malware.

Whispers in the Wind

We've covered details regarding WhisperGate in a previous blog, which provides a more extensive breakdown into the third and fourth stages of the wiper. What stood out to us, in the course of conducting that research into the final stages of the malware, was the MSIL stub used in the delivery of the third stage of the malware that was first noted by ESET Research.

To put it simply, these stubs are components of small Windows® executable files that act as downloaders for a subsequent main payload. The .NET framework includes individual compilers for various programming languages, such as VB.NET, and C#. An MSIL stub is created after the compilation of source code by these different .NET compilers, which can then be used across any environment.

This main payload that this stub delivers is typically commodity .NET malware, such as Agent Tesla, and QuasarRAT among others. While WhisperGate appeared to use the service that created this stub on only one occasion, we wanted to dive a little further into it and see why this method in particular is being used to deliver so many common .NET-based malware families.

Sharing and Personal Tools

Please select the service you want to use:

Back

View original format