Potential Raspberry Robin Aclui Dll SideLoading

 1title: Potential Raspberry Robin Aclui Dll SideLoading
 2id: 0f3a9db2-c17a-480e-a723-d1f1c547ab6a
 3status: test
 4description: |
 5        Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.
 6references:
 7    - https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/
 8    - https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/
 9    - https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/
10    - https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
11    - https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html
12author: Swachchhanda Shrawan Poudel
13date: 2024-07-31
14tags:
15    - attack.persistence
16    - attack.privilege-escalation
17    - attack.execution
18    - attack.stealth
19    - attack.t1574.001
20    - detection.emerging-threats
21logsource:
22    category: image_load
23    product: windows
24detection:
25    selection:
26        Image|endswith: '\OleView.exe'
27        ImageLoaded|endswith: '\aclui.dll'
28    filter_main_legit_oleview_paths:
29        Image|startswith:
30            - 'C:\Program Files (x86)\Windows Kits\'
31            - 'C:\Program Files\Microsoft SDKs\'
32    filter_optional_known_oleview_paths:
33        Image|contains: '\Windows Resource Kit\'
34    filter_main_is_signed:
35        Signed: 'true'
36    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
37falsepositives:
38    - Unknown
39level: high

References

• Raspberry Robin Keeps Riding the Wave of Endless 1-Days - Check Point Research

  

  Key Findings Introduction Raspberry Robin is a widely distributed worm first reported by Red Canary in 2021. Its capabilities and evasions in addition to its very active distribution made it one of the most intriguing malware out there. We at Check Point Research published an article a couple of months ago using Raspberry Robin as an example […]

  
  Read More

• Evading EDR by DLL Sideloading in C#

  

  The blog post accompanies my public conference talks on this topic. Slides are available at the bottom. One thing I learned from doing this talk is that a surprisingly high number of InfoSec professionals believe that bypassing EDR is not possible or is an exception. It should be more common knowledge that security tools can

  
  Read More

• Hitching a ride with Mustang Panda

  

  APT Campaign Targets Myanmar Government

  
  Read More

• Beyond good ol’ Run key, Part 36

  Last Updated 2023-02-25 Added xdbg32 from Trend Micro article. Last Updated 2019-09-20 A few more updates thanks to @bartblaze !!! Last Updated 2018-10-18 Updated mistake in tplcdclr.exe –> wtsapi3...

  
  Read More

• aclui.dll | Security Descriptor Editor

  What is aclui.dll?

  
  Read More

Related rules

• APT27 - Emissary Panda Activity
• DLL Names Used By SVR For GraphicalProton Backdoor
• Diamond Sleet APT DLL Sideloading Indicators
• Lazarus APT DLL Sideloading Activity
• Pingback Backdoor Activity