Update T1574.002.yaml (#2881)

Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe", which can load further executables embedded in modified KeyScramblerIE.dll file. Co-authored-by: Carrie Roberts <[email protected]>
redcanaryco · Aug 3, 2024 · fba22ab · fba22ab
1 parent e646997
commit fba22ab
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/atomics/T1574.002/T1574.002.yaml b/atomics/T1574.002/T1574.002.yaml
@@ -71,3 +71,28 @@ atomic_tests:
     cleanup_command: |
       taskkill /F /IM #{process_name} >nul 2>&1
     name: command_prompt
+- name: DLL Search Order Hijacking,DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
+  description: |
+    Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe", which can load further executables embedded in modified KeyScramblerIE.dll file.
+  supported_platforms:
+  - windows      
+  executor:
+    command: |-
+      Write-Host 1.Downloading KeyScrambler from official website to temp directory
+      Invoke-WebRequest -Uri "https://download.qfxsoftware.com/download/latest/KeyScrambler_Setup.exe" -OutFile $env:Temp\KeyScrambler_Setup.exe
+      Write-Host 2.Installing KeyScrambler with KeyScrambler_Setup.exe from temp directory
+      Start-Process -FilePath $env:Temp\KeyScrambler_Setup.exe -ArgumentList /S -Wait
+      Write-Host 3.Copying KeyScrambler.exe to temp folder,to avoid permission issues, which calls KeyScramblerIE.dll in CWD i.e. temp
+      Copy-Item "C:\Program Files (x86)\KeyScrambler\KeyScrambler.exe" -Destination $env:TEMP\KeyScrambler.exe
+      Write-Host 4.Executing KeyScrambler.exe, you should see a popup of missing KeyScramblerIE.dll, you can close this popup
+      Start-Process -FilePath $env:Temp\KeyScrambler.exe
+      Write-Host 5.A modified KeyScramblerIE.dll can be copied to temp, which can be misused by Attacker
+    cleanup_command: |-
+      Write-Host 1.Kindly close the popup window asking for KeyScramblerIE.dll ,so that it gets deleted.
+      
+      Remove-Item -Path $env:Temp\KeyScrambler_Setup.exe
+      Start-Process -FilePath "C:\Program Files (x86)\KeyScrambler\Uninstall.exe" -ArgumentList /S -Wait
+      Remove-Item -Path $env:Temp\KeyScrambler.exe
+      Write-Host 2.KeyScrambler cleanup completed successfully.
+    name: powershell
+    elevation_required: true