{
  "name": "Side Loading through IObit against Colombia",
  "slug": "side-loading-through-iobit-against-colombia",
  "description": "In May 2024, researchers detected a phishing campaign impersonating the Colombian Attorney General's Office, aiming to infect systems with AsyncRAT malware. The attack employs a ZIP file containing legitimate IObit antivirus software and malicious files, utilizing DLL side-loading for execution. While sharing similarities with APT-C-36, the kill-chain differs from their previous campaigns, suggesting modified tactics. The infection chain involves the legitimate IObit executable loading a malicious DLL, creating processes for code injection, and ultimately deploying AsyncRAT via process hollowing. Persistence mechanisms include a startup link file and scheduled task.",
  "published": "2024-05-29T09:06:01+00:00",
  "created_at": "2024-05-29T09:06:01+00:00",
  "modified_at": "2024-05-29T09:30:00+00:00",
  "created_at_opencti": "2024-05-29T09:06:01+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-05-29",
    "asyncrat",
    "dllsideloading",
    "phishing",
    "processhollowing"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50"
      },
      {
        "id": "",
        "name": "372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12"
      },
      {
        "id": "",
        "name": "1dd7ae853911217095d2254337bedecee7267eea1ac9d0840eaf13506f40c9ab"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:e08fa00836267873",
        "name": "HijackLoader",
        "slug": "hijackloader"
      },
      {
        "id": "f200fb60-5446-493f-9712-9f26d65956cc",
        "name": "AsyncRAT",
        "slug": "asyncrat"
      }
    ],
    "intrusion_sets": [
      {
        "id": "11d55f14-f38f-4422-b741-e2ae22e4c603",
        "name": "APT-C-36",
        "slug": "apt-c-36"
      }
    ],
    "attack_patterns": [
      {
        "id": "6e916014-32d6-4d04-8fb7-5eff3b7cbbf5",
        "name": "T1547.003"
      },
      {
        "id": "7f878480-009b-4874-8905-a1d1d4558642",
        "name": "T1053.007"
      },
      {
        "id": "eaed9e28-8072-48ff-bd94-ed7d72554636",
        "name": "T1218.005"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "81b422de-709e-43bd-b471-2befac0c623a",
        "name": "T1218.011"
      },
      {
        "id": "840f859f-575f-487e-8083-6ffd01a13a84",
        "name": "T1218.007"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "4804e5ac-a5df-496d-899f-3664ea857672",
        "name": "T1548.003"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Colombia"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/66570c1afb9df27ddda04dc9"
  ]
}