.webp)
🎯Basically, hackers used a trusted Microsoft file to sneak malware into Indian banks.
What Happened
A state-linked threat group has been discovered executing a sophisticated espionage operation against India's banking sector. This campaign cleverly utilizes a Microsoft-signed file to bypass security defenses, delivering a new variant of the LOTUSLITE backdoor through a technique known as DLL sideloading. This method exploits the inherent trust that operating systems place in legitimate executables.
How the Attack Works
The attack begins with a ZIP archive themed around India’s banking and financial sector. Inside, there is a legitimate Microsoft executable named Microsoft_DNX.exe, which is a developer tool from the older ASP.NET Core ecosystem. Alongside this executable is a malicious DLL, which is designed to load as soon as the executable runs. The DLL is loaded by name, without any authenticity checks, allowing the attacker to place a crafted DLL in the same directory as the legitimate executable.
Who's Behind It
The Acronis Threat Research Unit (TRU) identified this LOTUSLITE variant during their monitoring of malware campaigns linked to geopolitical developments in the West Asian region. The Mustang Panda activity cluster, a China-linked advanced persistent threat (APT) group, is believed to be behind this operation, based on shared infrastructure and operational behaviors.
Tactics & Techniques
The attack employs DLL sideloading to leverage the operating system's trust in signed software. When the Microsoft_DNX.exe file runs, it dynamically loads the LOTUSLITE DLL, allowing the attacker to execute their code without raising alarms. The implant connects to a dynamic DNS-based command-and-control (C2) server over HTTPS, disguising its traffic as routine encrypted web communication.
Defensive Measures
Security teams are advised to monitor for unusual DLL loading patterns from legitimate Microsoft executables. Implementing application control policies that restrict DLL loading to verified file paths is crucial. Any signed executable that loads unverified DLLs from user-writable directories should be treated as suspicious. Endpoint detection tools focused on behavioral signals rather than file reputation alone are the most effective defense against this style of attack.
Conclusion
This incident highlights the evolving tactics of threat actors and the need for enhanced vigilance within organizations, especially those in sensitive sectors like banking. As cyber threats become more sophisticated, understanding and mitigating these risks is essential for maintaining security.
🔒 Pro insight: The use of DLL sideloading with a trusted executable showcases an advanced tactic that bypasses traditional security measures.
