A new cyberattack targeting German entities has recently been uncovered by Cyble Research and Intelligence Labs (CRIL). This attack leverages sophisticated techniques such as DLL Sideloading, DLL Proxying, and the Sliver implant to compromise systems. The attack uses these advanced methods to evade detection and establish a persistent foothold within the victim’s network.
The ongoing campaign, first detected by CRIL, employs a highly deceptive approach to infiltrate systems. It starts with a phishing email that contains an archive file. When opened, the archive, which appears to be harmless, contains several components designed to exploit the victim’s system. One of the most notable files is a shortcut (.LNK) file, which, when executed, opens a seemingly innocuous document titled “Homeoffice-Vereinbarung-2025.pdf” — a decoy remote work agreement. However, real damage occurs in the background.
Upon execution of the LNK file, the system runs a legitimate executable, wksprt.exe, which resides in the C:WindowsSystem32 directory. This executable performs DLL Sideloading, a technique that loads a malicious DLL file — IPHLPAPI.dll — into the system. Interestingly, this malicious DLL is designed to mimic a legitimate system file, increasing its chances of bypassing security measures.
The malicious DLL uses DLL Proxying to intercept function calls made by the executable and forward them to another legitimate DLL. This proxying technique allows the malicious DLL to remain undetected while executing harmful shellcode in the background. The shellcode, once executed, decrypts and runs the final payload: a Sliver implant, a popular open-source framework used for command-and-control operations in adversary emulation and Red Team exercises.
DLL Sideloading and DLL Proxying: The Infection Process
The attack starts when the victim extracts the archive file, which contains several files with names such as IPHLPAPI.dll, ccache.dat, and Homeoffice-Vereinbarung-2025.pdf.lnk. The files appear harmless at first glance, with the PDF document serving as the primary lure. However, once the LNK file is executed, it triggers a sequence of commands that copy wksprt.exe and other malicious files into specific system directories, including the hidden InteI folder under the %localappdata% path.
To ensure persistence, the wksprt.lnk shortcut is placed in the system’s Startup folder, making sure that the malware executes automatically when the system reboots. During this process, the malicious DLL file uses DLL Proxying to load another legitimate DLL, which then assists in reading the encrypted ccache.dat file containing the embedded shellcode.
Advanced Evasion Techniques
The DLL Sideloading and DLL Proxying techniques used in this attack are crucial for bypassing traditional detection mechanisms. The malicious IPHLPAPI.dll file is designed to look like a standard system file, making it harder for security tools to identify it as malicious. Additionally, by using DLL Proxying, the attackers can maintain the normal behavior of the infected application while running their malicious code in the background.
Once the ccache.dat file is read and decrypted, it reveals the shellcode, which, in turn, runs another decryption process to retrieve the actual payload. This multi-layered decryption makes it even harder for security solutions to detect the attack until it has already caused damage. The final payload is the Sliver implant, which establishes a communication channel with the attacker’s server, allowing them to execute further operations on the compromised system.
The Role of Sliver in the Attack
The Sliver implant, which is an open-source framework for Red Team operations, is used by the attackers to control the infected system. This framework allows for sophisticated remote control and monitoring of the compromised network. The implant can be used to execute a wide range of malicious activities, from stealing data to deploying additional malware.
Once the Sliver implant is active, it connects to remote servers, specifically:
- hxxp://www.technikzwerg[.]de/auth/auth/authenticate/samples.html
- hxxp://www.technikzwerg[.]de/auth/auth/authenticate/samples.php
These remote endpoints are used by the attackers to further exploit the victim’s system, facilitating the installation of additional malicious payloads or the exfiltration of sensitive data.
Potential Attribution
While the specifics of the attack are still under investigation, there are several indicators that suggest it could be the work of APT29, a well-known cyber threat group often associated with advanced persistent threats (APT). The use of DLL Sideloading, the deployment of Sliver, and the sophisticated nature of the attack are consistent with tactics previously observed in APT29 campaigns. However, the introduction of DLL Proxying is a new technique that hasn’t been seen in their previous operations, making definitive attribution challenging.
Implications for German Entities
The attack specifically targets organizations in Germany, as evidenced by the German-language lure document and the fact that the initial archive file was uploaded to VirusTotal from a location in Germany. The lure document, which masquerades as a Home Office Agreement, appears to be designed to exploit the growing trend of remote work in Germany, making it highly relevant to the country’s current workforce dynamics.
This cyberattack highlights the growing complexity of modern threats, particularly those targeting businesses and organizations with high-value data or critical infrastructure.
Recommendations and Mitigations
To protect against attacks like this, organizations should consider implementing the following measures:
- Strengthen email filtering systems to identify and block phishing emails that may contain malicious attachments.
- Use whitelisting to prevent unauthorized execution of suspicious files, such as LNK files or unauthorized DLLs.
- Deploy EDR solutions to detect and block DLL Sideloading and shellcode injection activities.
- Monitor outbound network traffic for unusual activity, such as unexpected connections to Sliver endpoints or other suspicious servers.
- Educate employees about the dangers of phishing and the importance of exercising caution when opening email attachments or links from unknown senders.
Conclusion
The Sliver implant campaign targeting German organizations demonstrates the increasing sophistication of cyber threats. By employing techniques such as DLL Sideloading and DLL Proxying, the attackers are able to bypass traditional security measures and establish persistent access to compromised systems. This multi-stage attack highlights the need for enhanced detection and defense strategies to counter increasingly complex threats.
