Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Qt5Network.dll: Sideloaded by Spoofed Acronis syncagentsrv.exe #97

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Qt5Network.dll: Sideloaded by Spoofed Acronis syncagentsrv.exe #97

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
25fb769
Added syncagentsrv.exe/qt5network.dll
mbabinski Dec 18, 2024
b80f26c
Prompting the workflow actions
mbabinski Dec 18, 2024
5b67d86
Added newline
mbabinski Dec 18, 2024
2e6a915
Removed redundant VT entry
mbabinski Dec 18, 2024
5100ab0
Fixed vendor name
mbabinski Dec 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions yml/3rd_party/acronis/qt5network.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
Name: qt5network.dll
Author: Micah Babinski
Created: 2024-12-17
Vendor: Acronis
ExpectedLocations:
- '%PROGRAMFILES%\Acronis\CyberProtectHomeOffice'
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more comment: if sideloading is used, aren't qt5network and syncagentsrv.exe expected to be located in the same location?

VulnerableExecutables:
- Path: '%PROGRAMFILES%\common files\acronis\syncagent\syncagentsrv.exe'
Type: Sideloading
SHA256:
- '6f7f390b2012e7dfef9fcbd673a4a0256e2e217b11831e9a27a9d460ba57c0d2'
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this SHA correct? It does not seem to belong to an Acronis product

Copy link
Author

@mbabinski mbabinski Dec 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Wietze, thanks for the review. Yeah, I was confused by this. The report mentions that Qt5Network.dll was loaded by syncagentsrv.exe, a legitimate application. But it doesn't provide the EXE hash. A quick google search reveals that this EXE name is part of an Acronis product. So I recorded the vendor of the product which the malicious zipfile was likely trying to mimic. When I looked up the zipfile which contained the EXE and DLL in VT, I can see that the syncagentsrv.exe was actually the file represented by the hash I provided in the PR: https://www.virustotal.com/gui/file/6f7f390b2012e7dfef9fcbd673a4a0256e2e217b11831e9a27a9d460ba57c0d2.

Based on what little I have found on the actual EXE used in the attack, a renamed copy of PasswordChanger.exe (Active@ Password Changer by LSoft Technologies), this would normally be located in:

  • %PROGRAMFILES%\LSoft Technologies\Active@ Password Changer\PasswordChanger.exe
  • %PROGRAMFILES%\Active Data Recovery Software\Active Password Changer\PasswordChanger.exe or possibly
  • %PROGRAMFILES%\LSoft Technologies\Active@ Data Studio\PasswordChanger.exe

Should I update the submission to be geared toward Active@ Password Changer?

Thanks again!

Resources:
- https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware
- https://www.virustotal.com/gui/file/dc36a3d95d9a476d773b961b15b188aa3aae0e0a875bca8857fca18c691ec250
Acknowledgements:
- Name: Micah Babinski
Loading