A notorious cyber threat group known as Dropping Elephant has resurfaced with an enhanced attack strategy. The group is leveraging a China-themed document to deploy a remote access trojan (RAT) on targeted systems. This campaign marks an evolution in their tactics, aimed at evading detection tools and ensuring full system control.
Refined Attack Methods
The attack begins with a deceptive Windows shortcut file named GRES3001.lnk, masquerading as a PDF associated with an energy contract. Upon opening this file, a PowerShell script is executed, downloading additional malware from a server disguised as chinagreenenergy[.]org. The user is shown a decoy document, while malicious activities proceed in the background.
Researchers at Rapid7 noted that this campaign builds on previous methods used by Dropping Elephant, with similarities in malware delivery, command execution, and system control tactics. Their analysis confirmed that the group has refined their approach, maintaining their core techniques.
Persistent System Control
The attackers use a legitimate Microsoft binary, Fondue.exe, to load a malicious component disguised as APPWIZ.cpl. This component decrypts a file named editor.dat, loading the RAT directly into memory. This in-memory execution helps the malware evade traditional detection systems that rely on file scanning.
Once active, the RAT connects to a command-and-control server at gcl-power[.]org, maintaining communication every 10 seconds. It can execute commands, list files, capture screens, and transfer data, providing extensive control over the infected machine.
Advanced Evasion Techniques
To ensure persistence, the attack creates a scheduled task called GoogleErrorReport, running Fondue.exe every minute. This task ensures the RAT remains active, even after system reboots. The name is chosen to avoid suspicion by blending in with legitimate system activities.
Rapid7 highlighted the importance of monitoring for the GoogleErrorReport task running binaries from the C:UsersPublic directory. This is a key indicator of this campaign’s presence.
Additionally, the RAT employs complex evasion techniques, such as control-flow flattening, runtime API resolution, and disabling Windows security features. Communication with its server is encrypted, complicating traffic analysis for security professionals.
Future Considerations
Given the sophistication of Dropping Elephant’s latest tactics, cybersecurity teams are advised to focus on behavioral detection rather than relying on static indicators of compromise, which can change. Monitoring for unexpected system behaviors and memory-resident threats is crucial for defense.
As the threat landscape evolves, staying informed and vigilant is essential to protect against advanced persistent threats like Dropping Elephant. Continuous updates and proactive threat hunting are recommended strategies for security teams.
