Tdrop2

Description

(Palo Alto) The new malware variant, which we call TDrop2, proceeds to select a legitimate Microsoft Windows executable in the system32 folder executes it, and then uses the legitimate executable’s process as a container for the malicious code, a technique known as process hollowing. Once successfully executed, the corresponding process then attempts to retrieve the second-stage payload.

The second-stage instruction attempts to obfuscate its activity by retrieving a payload that appears to be an image file, but upon further inspection appears actually to be a portable executable.

The C2 server replaces the first two bytes, which are normally ‘MZ’, with the characters ‘DW’, which may allow this C2 activity to evade rudimentary network security solutions and thus increase the success rate of retrieval.

Once downloaded, the dropper will replace the initial two bytes prior to executing it. This second stage payload will once again perform process hollowing against a randomly selected Windows executable located in the system32 folder.

Names

Name
Tdrop2

Type

Downloader

Information

https://unit42.paloaltonetworks.com/tdrop2-attacks-suggest-dark-seoul-attackers-return/

Alienvault Otx

https://otx.alienvault.com/browse/pulses?q=tag:tdrop2

Other Information

Uuid

88ec0db2-4836-4b8e-b9d9-e03118c2de08

Last Card Change

2020-04-20

Threat Intelligence Garden

Explorer

Tdrop2

Tdrop2

Description

Names

Category

Type

Information

Alienvault Otx

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks