Potential Rcdll.DLL Sideloading

 1title: Potential Rcdll.DLL Sideloading
 2id: 6e78b74f-c762-4800-82ad-f66787f10c8a
 3status: test
 4description: Detects potential DLL sideloading of rcdll.dll
 5references:
 6    - https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html
 7author: X__Junior (Nextron Systems)
 8date: 2023-03-13
 9modified: 2023-03-15
10tags:
11    - attack.defense-evasion
12    - attack.privilege-escalation
13    - attack.t1574.001
14logsource:
15    category: image_load
16    product: windows
17detection:
18    selection:
19        ImageLoaded|endswith: '\rcdll.dll'
20    filter:
21        ImageLoaded|startswith:
22            - 'C:\Program Files (x86)\Microsoft Visual Studio\'
23            - 'C:\Program Files (x86)\Windows Kits\'
24    condition: selection and not filter
25falsepositives:
26    - Unknown
27level: high

References

• Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting

  

  We detail the update that advanced persistent threat (APT) group Iron Tiger made on the custom malware family SysUpdate. In this version, we also found components that enable the malware to compromise Linux systems.

  
  Read More

Related rules

• Creation Of Non-Existent System DLL
• DLL Search Order Hijackig Via Additional Space in Path
• DLL Sideloading Of ShellChromeAPI.DLL
• Lazarus APT DLL Sideloading Activity
• Malicious DLL File Dropped in the Teams or OneDrive Folder