DueDLLigence

A short investigative write-up

January 2021

DueDLLigence is a tool designed by Mandiant, used for DLL side-loading

Malware Analysis

In this incidents, an email is sent from an external email address but attempts to appear to be from an internal user. The email entices the user to click a malicious link in order to receive a discount. The email has been redacted for privacy concerns.

After clicking the link contained in the email, a JavaScript file is downloaded. This file requires a user to download and run it using wscript:

Responsive image

Figure 1: JavaScript file downloaded

Responsive image

Figure 2: WScript executing JavaScript

We can see here that the JavaScript code contains a Base64 encoded PowerShell script:

Responsive image

Figure 3: Reviewing the JavaScript code

The PowerShell script includes an additional layer of obfuscation:

Responsive image

Figure 4: PowerShell Script

Setting a debug and outputting the variable to a file, we can obtain the decoded shellcode:

Responsive image

Figure 5: Obtaining the shellcode

Now we can review the shellcode to get valuable pieces of information:

Responsive image

Figure 6: Shellcode containing C2 domain and User-Agent String

Tactics, Techniques, Procedures

Initial Access
  • Spearphishing Link
  • Valid Accounts
  • External Remote Services
Execution
  • Control Panel Items
  • RunDLL32
  • Scripting
Defense Evasion
  • Control Panel Items
  • Deobfuscate/Decode Files or Information
  • DLL Side-Loading

Prevention/Detection

  • Check if JavaScript files contain “new ActiveXObject("wscript.shell");”
  • Monitor for API calls to VirtualAllocEx followed by WriteProcessMemory