Redazione RHC : 18 September 2025 07:50
A malicious version of the ISO image named Servicenow-BNM-Verify.iso has been identified on VirusTotal, reported as originating from Malaysia, with virtually no detection. The image contains four files, two visible and two hidden, suggesting packaging designed to deceive superficial analysis.
Among the visible files, a Windows shortcut named servicenow-bnm-verify.lnk runs PanGpHip.exe, a legitimate executable produced by Palo Alto Networks. Although the link’s target path points to a nonexistent directory on the victim machines, the LNK file correctly redirects to its own directory, ensuring that PanGpHip.exe runs every time the ISO is mounted.
DLL sideloading is a technique used by attackers in which a legitimate program unknowingly loads a malicious library (DLL) instead of the legitimate one. This happens because Windows, when searching for the requested DLL, prioritizes certain folders (e.g., the one local to the program), allowing the malware to “disguise” itself as a legitimate file.
Two libraries were found inside the ISO: the genuine OpenSSL library, identified as libeay32.dll, and a malicious library called libwaapi.dll, the latter sideloaded by the Palo Alto executable and indicated as the core of the attack.
Libwaapi.dll exports a single function containing code, wa_api_setup, which starts its workflow by hiding the console window via the Windows GUI API.
The routine checks for the presence of a mutex named 47c32025. If it isn’t present, an internal function, renamed fn_payload_injection, is called, which injects the payload into memory.
The injection function calculates the SHA-256 hash of the string “rdfY*&689uuaijs” and uses the result as the RC4 key to deobfuscate the string “chakra.dll”. It then loads the legitimate Windows DLL from C:WindowsSystem32, locates the first executable section, makes it writable, zeroes out its contents, and base64-decodes a hidden payload stored in the DLL’s .data section.
After decryption with RC4, the payload’s integrity is checked using an encoded SHA-256 value; if successful, memory permissions are restored and execution switches to the injected payload.
The injected shellcode decompresses an embedded DLL using RtlDecompressBuffer with the maximum-compression LZNT1 algorithm. The resulting DLL carries a fabricated timestamp of May 5, 1984, and implements the malicious behavior in the DllUnload export. Initial analysis indicates that the module is unhooking itself to evade detection.
The final payload enters a loop that transmits victim data to logsapi.azurewebsites[.]net api logs, leveraging Azure Functions as a command-and-control backend. An XML-formatted payload is sent containing system metadata such as architecture, uptime, OS build, computer and user names, running processes, and other details. Although the information is encrypted in transit, it can be obtained in pre-encrypted form, revealing the perpetrator’s intent to carefully profile compromised hosts and abuse a scalable, event-driven serverless environment.
An indicative element of a campaign, according to a report by Researcher, is the appearance on VirusTotal of a similar DLL originating from Singapore on September 5, 2025. Deobfuscation is ongoing and aims to reveal further capabilities of the payload; follow-up analysis will explore the persistence mechanisms and lateral movement routines contained in this sophisticated infrastructure supported by Azure Functions.
Redazione