Hackers resembling APT41 have been utilizing a sophisticated technique known as “AppDomain Manager Injection” to target Asian military and government organizations.

Description

This stealthy NET Framework hack leverages the AppDomainManager class to inject malicious code into NET applications on Windows [3]. The technique, which has been around since 2017 [2], is typically used in red team activities and is rarely observed in malicious attacks [2], making it difficult for defenders to actively monitor [2]. Recent attacks in Taiwan, the Philippines [3], and Vietnam have utilized the GrimResource technique [3], exploiting XSS vulnerabilities to run NET code via Microsoft Management Console (MMC) [3]. These attacks, possibly linked to Chinese APT41, aim to deploy a CobaltStrike beacon for further malicious actions [3], demonstrating a high level of technical expertise [3]. NTT’s Japan division has tracked attacks targeting Taiwan government agencies [2], Philippine military [2], and Vietnamese energy organizations using CobaltStrike beacons [2], suggesting the involvement of the Chinese state-sponsored threat group APT 41 [2], although the reliability of this attribution is low [2]. AppDomain Manager Injection [1] [2] [3], similar to standard DLL side-loading [1] [2], uses DLL files to achieve malicious goals on compromised systems [2]. However, it leverages the NET Framework’s AppDomainManager class to inject and execute malicious code [2], making it more sophisticated and versatile [2]. Attackers prepare a malicious DLL containing a class that inherits from AppDomainManager and a configuration file (exe.config) redirecting the loading of legitimate assemblies to the malicious DLL [2]. Unlike DLL side-loading [1] [2], the malicious DLL does not need to match the name of an existing DLL and can simply be placed in the same directory as the target executable [2]. When a NET application runs [2], the malicious DLL is loaded and its code executed within the context of the legitimate application [2]. Due to its appearance of coming from a signed legitimate executable [2], AppDomainManager Injection is difficult to detect compared to DLL side-loading [2].

Conclusion

The use of AppDomain Manager Injection poses significant challenges for defenders in detecting and mitigating attacks. As this technique becomes more prevalent in malicious activities, organizations must enhance their cybersecurity measures to protect against such sophisticated threats. Future implications may include the need for improved detection capabilities and proactive defense strategies to counter the evolving tactics of threat actors.

References

[1] https://www.darkreading.com/application-security/hackers-use-rare-stealth-techniques-to-down-asian-military-govt-orgs
[2] https://www.prsol.cc/2024/08/25/hackers-now-use-appdomain-injection-to-drop-cobaltstrike-beacons/
[3] https://thenimblenerd.com/article/clever-chinese-hackers-appdomain-manager-injection-and-grimresource-attacks-strike-again/