Blackwood APT Hackers Use DLL Loader to Escalate privilege & Install backdoor

The recent discovery of a new DLL loader associated with the notorious Blackwood APT group has sent shivers down the spines of cybersecurity professionals. 

This sophisticated malware, analyzed by SonicWall Capture Labs, targets unsuspecting users in Japan and China, aiming to escalate privileges and establish persistent backdoors for nefarious purposes. 

Unveiling the Loader’s Secrets

At first glance, the sample appears unassuming. It’s a 32-bit DLL devoid of obfuscation or encryption, seemingly lacking malicious intent. 


Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

However, a closer examination by researchers reveals its true nature. Strings like “GetCurrentProcessID,” “OpenProcess,” and “VirtualAlloc” hint at its ability to inject malicious code into legitimate processes, silently taking control. 

Additionally, file references like “333333333333333.txt” and “Update.ini” spark curiosity, hinting at potential download and configuration mechanisms.

Evasive Maneuvers: Thwarting Analysis

This loader isn’t easily fooled. It employs various anti-analysis techniques to impede the investigation. 

It meticulously checks for debuggers, processor features, and security settings, attempting to identify analysis environments. 

Additionally, locale checks serve as a final barrier, terminating the process if specific language settings are detected. 

These measures demonstrate the developer’s awareness of security tools and their intent to remain undetected.

Once deployed, the loader sheds its cloak and embarks on its malicious mission. 

To attempt privilege escalation, it leverages the CMSTPLUA interface, a legitimate Windows component. 

This bypasses User Account Control (UAC), a crucial security barrier, granting the malware elevated privileges and unrestricted access to the system.

The ultimate goal of this operation is to establish a persistent backdoor. While the specific details of the backdoor remain undisclosed, its purpose is clear: to facilitate remote communication, data exfiltration, and potentially even command and control capabilities. 

This grants the attackers a foothold within the victim’s system, enabling them to monitor communications, steal sensitive data, and potentially launch further attacks.

SonicWall releases MalAgent.Blackwood signature to detect and block the Blackwood DLL loader.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.