Potential Raspberry Robin Aclui Dll SideLoading

 1title: Potential Raspberry Robin Aclui Dll SideLoading
 2id: 0f3a9db2-c17a-480e-a723-d1f1c547ab6a
 3status: test
 4description: |
 5        Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.
 6references:
 7    - https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/
 8    - https://globetech.biz/index.php/2023/05/19/evading-edr-by-dll-sideloading-in-csharp/
 9    - https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/
10    - https://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/
11    - https://strontic.github.io/xcyclopedia/library/aclui.dll-F883E9CA757B622B032FDCA5BF33D0DF.html
12author: Swachchhanda Shrawan Poudel
13date: 2024-07-31
14tags:
15    - attack.defense-evasion
16    - attack.privilege-escalation
17    - attack.t1574.001
18    - detection.emerging-threats
19logsource:
20    category: image_load
21    product: windows
22detection:
23    selection:
24        Image|endswith: '\OleView.exe'
25        ImageLoaded|endswith: '\aclui.dll'
26    filter_main_legit_oleview_paths:
27        Image|startswith:
28            - 'C:\Program Files (x86)\Windows Kits\'
29            - 'C:\Program Files\Microsoft SDKs\'
30    filter_optional_known_oleview_paths:
31        Image|contains: '\Windows Resource Kit\'
32    filter_main_is_signed:
33        Signed: 'true'
34    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
35falsepositives:
36    - Unknown
37level: high

References

• Raspberry Robin Keeps Riding the Wave of Endless 1-Days - Check Point Research

  

  Key Findings Introduction Raspberry Robin is a widely distributed worm first reported by Red Canary in 2021. Its capabilities and evasions in addition to its very active distribution made it one of the most intriguing malware out there. We at Check Point Research published an article a couple of months ago using Raspberry Robin as an example […]

  
  Read More

• Evading EDR by DLL Sideloading in C#

  

  The blog post accompanies my public conference talks on this topic. Slides are available at the bottom. One thing I learned from doing this talk is that a surprisingly high number of InfoSec professionals believe that bypassing EDR is not possible or is an exception. It should be more common knowledge that security tools can

  
  Read More

• Hitching a ride with Mustang Panda - Avast Threat Labs

  

  Avast discovered a distribution point where a malware toolset is hosted, but also serves as temporary storage for the gigabytes of data being exfiltrated on a daily basis, including documents, recordings, and webmail dumps including scans of passports from Asian, American and European citizens and diplomats applying for Burmese visas, from Burmese human rights activists […]

  
  Read More

• Beyond good ol’ Run key, Part 36

  Last Updated 2023-02-25 Added xdbg32 from Trend Micro article. Last Updated 2019-09-20 A few more updates thanks to @bartblaze !!! Last Updated 2018-10-18 Updated mistake in tplcdclr.exe –> wtsapi3...

  
  Read More

• aclui.dll | Security Descriptor Editor

  What is aclui.dll?

  
  Read More

Related rules

• Lazarus APT DLL Sideloading Activity
• APT27 - Emissary Panda Activity
• Creation Of Non-Existent System DLL
• DLL Names Used By SVR For GraphicalProton Backdoor
• DLL Search Order Hijackig Via Additional Space in Path