KilllSomeOne Malware Uses DLL Side-loading to Deliver Malicious Implants

Trickbot Streals Passwords From Browsers

Cybersecurity experts have identified a new piece of malware dubbed KilllSomeOne. It was employed in attacks against government-affiliated entities and organizations in Myanmar. Delving deep into the infrastructure and codebase of the KilllSomeOne Malware revealed that the implant is likely to be the product of a China-based Advanced Persistent Threat (APT) actor. This is also in line with the profile of the targeted organizations.

The KilllSomeOne Malware typically delivered additional malware alongside its payload – on several occasions, researchers managed to salvage basic shells from infected networks, while in other cases they discovered more advanced malware samples. In all of the attacks, KilllSomeOne Malware abused a DLL side-loading trick, which has been employed by APT actors for at least 7-8 years. Even to this day it remains an efficient way to bypass some of the default security policies that Windows systems employ. The good news is that using 3rd-party antivirus software is usually enough to mitigate such attacks.

The KilllSomeOne Malware appears to function as a Loader/Dropper that is used in combination with different malware families that sometimes appear to be too simple for APT actors. So far, no particular group has been linked to the KilllSomeOne Malware campaign.

May 12, 2021