Finding Minhook in a sideloading attack – and Sweden too
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A threat actor campaign targeting multiple locations was observed in late 2023 and early 2024. Initially focused on the Far East, it later shifted to Sweden. The attacks used DLL sideloading techniques, employing the Minhook library to detour Windows API calls. The clean loader was obtained from infected systems rather than being part of the sideloading package. Components were signed with a compromised digital signature. The final payload was Cobalt Strike. Three sideloading scenarios were identified: MiracastView, PrintDialog, and SystemSettings. The Swedish connection revealed an installer with components from previous scenarios and the use of an expired digital signature from a Korean game developer.
OPENCTI LABELS :
cobalt strike,dll sideloading,api hooking,minhook,digital signature
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Finding Minhook in a sideloading attack – and Sweden too