Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add 4 new DLLs actively used ITW with search order hijacking #72

Merged
merged 9 commits into from
Apr 12, 2024
Merged

Add 4 new DLLs actively used ITW with search order hijacking #72

merged 9 commits into from
Apr 12, 2024

Conversation

JPMinty
Copy link
Contributor

@JPMinty JPMinty commented Apr 10, 2024

New entries.
Cisco: wcldll.dll seen loaded into ptInst.exe. The exact vulnerable path where this resides was pieced together from multiple sources and is technically unknown. This has been seen maliciously residing in the directory appdata\roaming\microsoft\windows\Roaming\mibincodec\ptInst.exe
Asus: asus_wmi.dll and asio.dll both have been seen loaded into renamed executables of atkexComSvc.exe such as TPAutoConnect.exe. This has been seen maliciously residing within subdirectories of AppData\Local\
Glorylogic: badata_x64.dll seen loaded into TrueBurner.exe. This has been seen maliciously residing in subdirectories of ProgramData\

JPMinty and others added 8 commits April 10, 2024 11:45
@JPMinty
ASUS vulnerable atkexComSvc.exe commit
d6a1c39
@JPMinty
Commit Asus, GloryLogic and Cisco
019fa57 
3 executables from 3rd parties vulnerable to DLL sideloading a malicious DLL and actively used in the wild
@JPMinty
Fixes for type and author fields
37ce6f7
@JPMinty
Update wcldll.yml
ee75505 
Fixed typo in expected locations
@JPMinty
Update badata_x64.yml
2a8fd49 
Fixed vendor typo
@JPMinty
Update badata_x64.yml
8a5fc2e 
Remove undefined coments field in version information
@JPMinty
Update wcldll.yml
9e80670
@wietze
Minor fixes
ba72840
@wietze wietze self-requested a review April 12, 2024 18:34
wietze
wietze approved these changes Apr 12, 2024
View reviewed changes
Copy link
Owner

@wietze wietze left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work, thanks for contributing!

@wietze wietze merged commit bb744e6 into wietze:main Apr 12, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wietze wietze wietze approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JPMinty @wietze