Do Son 
Full delivery chain from LNK to in-memory RAT | Image: Rapid7
Threat researchers have uncovered a new Dropping Elephant malware attack using an advanced fileless mechanism. Rapid7 recently published their findings detailing this latest campaign. Specifically, this threat group utilizes a China-themed decoy document. This document delivers a heavily reworked remote access trojan directly into system memory. Consequently, this campaign demonstrates evolved evasion tactics.
At a Glance
- Malware Family: Evolved in-memory remote access trojan (RAT).
- Threat Actor: Confirmed attribution to Dropping Elephant.
- Targets: Suspected Asian energy-sector entities. No specific victim counts have been confirmed in current reporting.
- Delivery Vector: Malicious LNK shortcuts mimicking PDF documents.
- Key Capabilities: Process scanning, screenshot capture, and HTTPS exfiltration.
- Source: Rapid7 threat research team.
TL;DR
Attackers distribute malicious shortcut files that spawn a complex loader chain. Subsequently, the chain side-loads a malicious library and injects a hidden trojan into memory. Finally, the Dropping Elephant malware bypasses local security tools to establish secure communication with its server.
Delivery
The attack begins when a user clicks a malicious Windows shortcut. This file appears as a standard PDF document. In reality, it acts as the initial staging mechanism. The shortcut features a lure relating to a China energy-sector contract. It explicitly mentions an industrial seawater circulation pump project. Next, the shortcut triggers an obfuscated script using the Windows console host. This script connects to a staging server. It downloads a legitimate decoy document to distract the victim. Concurrently, it retrieves several malicious payloads in the background. The staging server utilizes a specific domain to host these files. It pushes several disguised files with fake extensions to the victim. The script renames these files by removing filler characters. Then, it rebuilds the required dynamic link libraries. The script places these files inside public user folders. Finally, the initial script deletes the original shortcut file. This deletion helps hide the initial attack vector from investigators.
Infection Chain
The downloaded files initiate a multi-stage infection process. First, the script restores a legitimate Microsoft binary. Then, it places a malicious loader library alongside it. This triggers a side-loading attack. The legitimate program executes the malicious library. The side-loaded library exports a specific function to continue the attack. This function acts as the primary loader entry point. Afterward, the loader decrypts a hidden data file. This file contains a specific shellcode injector. The loader decodes the text and decrypts the cipher. Attackers assemble the decryption key dynamically on the memory stack. This memory-based key assembly helps evade basic static file analysis. The decrypted output provides a specialized shellcode block. The shellcode unpacks the final trojan directly into memory. The attack drops no final executable on the hard drive. Historically, Dropping Elephant relied on known vulnerabilities like CVE-2012-0158 and CVE-2014-1761. However, this specific campaign focuses purely on fileless execution. Before running the payload, the shellcode patches internal security controls. This reduces defensive telemetry for the unpacked Dropping Elephant malware. Rapid7 notes, “The malware uses control-flow flattening, runtime API reconstruction, and static CRT linking to complicate analysis.” This fileless execution method creates significant blind spots for antivirus scanners.
Command-and-Control and Data-Exfiltration Behavior
The hidden trojan initiates a quiet reconnaissance phase. First, it gathers system details. It collects the username, computer name, and running process list. The trojan detaches from the system console immediately upon startup. This detachment prevents any suspicious windows from appearing on screen. Afterward, it resolves its required application programming interfaces dynamically. The malware generates a unique identifier for the infected machine. It fingerprints the host by querying public IP resolution services. Next, the trojan verifies internet connectivity by pinging major web services. Only after a successful check does it contact the operator. The implant connects to a remote server over a secure HTTPS connection. The network traffic mimics legitimate web browsing activity. It uses standard web ports and secure web protocols. The operators protect all exchanged data using specialized block ciphers. If the server issues a command, the trojan acts immediately. The threat actor can execute shell commands silently. Additionally, they can download further tools, steal local files, or capture screen images. The trojan captures the screen and encodes it before uploading. The full process list exposes debuggers to the operator. If a check-in fails, the malware retries the connection aggressively. It loops every few seconds until it reaches the server.
Defense or Detection Guidance
Administrators must look for specific behavioral indicators. Rapid7 emphasizes that “Defenders should not rely on the IOCs alone.” You should monitor for shortcut files that spawn unusual scripts. Keep an eye out for unexpected files appearing in public user directories. Additionally, investigate any scheduled tasks named after error reporting services that run every minute. Organizations must implement strong behavioral monitoring. You should hunt for processes detaching from expected console windows. Look for sudden outbound connections to unclassified external IP addresses. Security teams must ensure their endpoint tools can detect memory-resident payloads. Review whether your current defenses catch security-control patching within running processes. Threat hunters should check for anomalous scheduled task creation. Focus especially on tasks launching legitimate binaries from public folders. Finally, hunt for anomalous network traffic connecting over HTTPS to unrecognized domains. By focusing on system behaviors, defenders can spot this stealthy tradecraft.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
