Sophos threat research director Gabor Szappanos said in a detailed blog post that the targets appeared to be non-governmental organisations in Myanmar (formerly Burma), adding that there was a suspicion that a group with Chinese connections was behind the attacks.
He explained DLL side-loading this way: "Side-loading is the use of a malicious DLL spoofing a legitimate one, relying on legitimate Windows executables to load and execute the malicious code."
Szappanos said while the technique was not novel, with its use being observed seven years ago, this particular payload had not been glimpsed by the company's researchers.
"The cases are connected by a common artifact: the program database path. All samples share a similar PDB path, with several of them containing the folder name 'KilllSomeOne'.”
Szappanos said four different side-loading scenarios had been used by the same threat actor. Two delivered a payload carrying a simple shell, while the other two carried a more complex set of malware. He provided technical details of all four scenarios.
"The types of perpetrators behind targeted attacks in general are not a homogeneous pool," Szappanos commented. "They come with very different skillsets and capabilities. Some of them are highly skilled, while others don’t have skills that exceed the level of average cyber criminals.
"The group responsible for the attacks we investigated in this report don’t clearly fall on either end of the spectrum. They moved to more simple implementations in coding — especially in encrypting the payload — and the messages hidden in their samples are on the level of script kiddies. On the other hand, the targeting and deployment is that of a serious APT group.
"Based on our analysis, it’s not clear whether this group will go back to more traditional implants like PlugX or keep going with their own code. We will continue to monitor their activity to track their further evolution."