Warning Against Infostealer Infections Upon Executing Legitimate EXE Files (DLL Hijacking)

Caution is advised as an Infostealer that prompts the execution of legitimate EXE files is actively being distributed.

The threat actor is distributing a legitimate EXE file with a valid signature and a malicious DLL compressed in the same directory. The EXE file itself is legitimate, but when executed in the same directory as the malicious DLL, it automatically runs that malicious DLL. This technique is called DLL hijacking and is often used in the distribution of malware.

The distribution of malware disguised as cracks and keygens for commercial software is also increasing the sample size of the DLL hijacking method. The distribution began in earnest around last May and has continued to spread actively since August to the present.

When searching for various cracked commercial software on search engines, malicious sites appear at the top, and clicking the Download button on these sites leads to various redirections before arriving at the ultimate distribution site. The downloaded file is an encrypted compressed RAR file, and the password is provided in the file name or on the distribution page. When this file is decompressed and the legitimate EXE file contained within is executed, the system becomes infected by the malware. The EXE files are mostly named setup.exe or Installer.exe and have valid signatures since most of them are the executable files of well-known software.

Figure 1. Webpages distributing the malware

The malicious DDL files are created by modifying a segment of legitimate DLL files. The modified code reads a specific data file in the same directory, decrypts it, then executes it. If the entire malware data were to be contained within the DLL files, the appearance of the files would be significantly altered, making them easier to detect. Therefore, it is suspected that this method is utilized so that malicious behavior can be performed while only altering the bare minimum of the original DLL files.

Figure 2. Similarity comparison between original DLL and malicious DLL

Ultimately, the data file, legitimate EXE file, and modified malicious DLL must all be located in the same directory for the malware to function. The data file is disguised as a PNG image file. The modified area of the malicious DLLs includes the end part of a certain function that must be executed in the EntryPoint execution flow, along with some code and data areas. All the code is encrypted and executed after being decrypted in the memory in order to evade code pattern detection. After execution, the malware has been observed to delete the malicious DLLs in order to erase traces.

The execution process of the malware is explained using the recently distributed sample below.

Legitimate EXEe634616d3b445fc1cd55ee79cf5326ea (vlc.exe)
Malicious DLL58ea42289ae52e82ffcfa20071c32d7a (libvlccore.dll)
Final malwareLummaC2 Stealer
Table 1. Sample information of example

Decompressing the password-protected compressed file downloaded from the distribution site using the password specified in the file name (“2023”) creates the following files.

Figure 3. Files inside the compressed file

The “Setup.exe” and “libvlc.dll” are legitimate components of the well-known software “VLC Media Player” and are valid files with legitimate signatures. The “libvlccore.dll” file is the modified malicious DLL file. The signatures do not match since a portion of the file was modified. The directories such as demux and lua are included as data to disguise the file as being legitimate but are unrelated to the actual execution of the malware.

Figure 4. Properties of the legitimate EXE
Figure 5. Properties of the malicious DLL

When the “Setup.exe” file is executed, the malicious DLL “libvlccore.dll” is automatically run. The end part of a certain function within the DLL EntryPoint execution flow has been modified in the malicious DLL. Consequently, the DLL EntryPoint is triggered upon loading the DLL, ultimately causing the execution of the code modified by the threat actor.

Figure 6. Left: Original DLL / Right: Malicious DLL with modified code

The functionality of this code is to locate and read the “ironwork.tiff” file in the same directory. It then reads and decrypts this file before executing it. This file is a data file that contains information on the code to be executed later. The file header is a PNG file, but it is filled with encrypted malicious data starting from the middle of the file.

Figure 7. Structure of the “ironwork.tiff” data file

It loads the “pla.dll” from the system directory (SysWow64) and injects the decrypted code into the code region of the DLL’s memory, followed by branching to that location. This method differs from the typical approach used by most malware, which involves allocating virtual memory to write code.

The API used in the subsequent step utilizes the NTDLL relocation technique. Even when executing “cmd.exe” and injecting code, it deviates from the typical code injection method. Instead of directly injecting code into the target process, it loads (DLL injection) “pla.dll” into the target process and then injects the malware into the code region of that DLL.

Figure 8. Modified code area of pla.dll that was loaded into cmd.exe

At this point, the necessary data file for malicious behaviors is written to the %TEMP% path. This file path is registered as a certain environment variable and inherited by the child process, which is “cmd.exe”.

Figure 9. Data file path and environment variable

cmd.exe has its EntryPoint modified to the code region of “pla.dll.” This code decrypts the file located at the path registered in the environment variable. It then generates the LummaC2 malware binary and proceeds to execute “explorer.exe”. Afterward, it injects the binary and executes it.

  • LummaC2 malware binary: 1d1ef4a4155edb56e8f3c8587fde8df0

The overall process tree structure is as follows.

Figure 10. Process tree of malware execution

LummaC2 is an Infostealer that can designate targets and install additional malware based on the responses it receives from its C2 server. It is capable of exfiltrating various sensitive data, including cryptocurrency wallets, information saved on browsers, information from applications like Steam, email client data, specific files in certain folders with particular extensions, and more.

The C2’s responses are composed of data and an XOR key, and when decrypted, they take the form of JSON-formatted data, as shown below. Responses from the C2 change periodically, leading to variations in its behavior in turn.

Figure 11. C2 response data of LummaC2

This distribution method infects systems via the execution of legitimate EXE files that belong to well-known software. The malicious DLLs closely resemble the original DLLs in appearance, making them different from simple EXE-based malware. Consequently, the initial detection rates by anti-malware vendors are considerably low, underscoring the need for caution from users.

Meanwhile, ASEC is actively monitoring and responding to this type of distributed malware using its automatic collection system and is responding quickly to variations that occur.

Figure 12. Information from VirusTotal

Aside from the example given in this post, various legitimate files and DLLs have also been abused. Information regarding the legitimate EXE and malicious DLL files used for distribution is as follows.

[IOC Information]

PSPad.exeJan Fiala4ec1a433d0c1e6b58da254b506e3444flibeay32.dlla3a0395dc0f15e2e92a55dcb7c3a7735
WizTree.exeAntibody Software Limitedcce7eaa082751bdd6780707a9444964dwinmm.dllc474b9effe72f11e73bfd8e2d5235108
WizTree64.exeAntibody Software Limited50a40274ffe963e1f214f9f19746e29ewinmm.dll4474e26725db0e84d8418b25137d275b
InstallShield SetupSuite.exeFlexera Software LLC696e066c4f3d52d5766e724afbdb3594xmllite.dll483ad6a57ea6cae5696841f07f1177f0
TSConfig.exeFlexera Software LLC48c9a0c76b44a5f2729c876085adba4eFNP_Act_Installer.dll89618931cf9487370542ca40509795a4
VBoxSVC.exeOracle Corporationc8a2de7077f97d4bce1a44317b49ef41VBoxRT.dlla860b368e9e2aa5cb4e7cb73607d18b1
palemoon.exeMark Straver64e3c6d6a396836e3c57b81e4c7c8f3bmozglue.dll200499eacae55905e27d0b96314cb0c7
topoedit.exeMicrosoft Corporation88691dbfa349db78f96e3278d1afc943tedutil.dll8096e5aacfe4dc4ea1afe03ca254982a
Mergecap.exeWireshark Foundation23ba27d352305f29d201ac5e43fc4583libglib-2.0-0.dll4b8ac7aab387e01cfa2c53cad3ef69b1
AcroBroker.exeAdobe Systems, Incorporateda13bfe522abc659704965388ad4581eesqlite.dlle74fb90de19d7cc0b01155f29e6c306f
VBoxTestOGL.exeOracle Corporationba99b11a84a19051eca441320af22f4eQtCoreVBox4.dll4f688e1c75cbee5949af010cbc5d4057
TPAutoConnect.exeCortado AG1377ef7319507a10d135d5128ac9fbc8TPSvc.dll12e5c5c08049ecaa5e15d51bbe58fd41
Table 2. IOC information


  • hxxp://go-vvv[.]com/hittest.php
  • hxxp://cloudsaled[.]xyz/
  • hxxp://cloudsaled[.]xyz/c2conf
  • hxxp://warnger[.]xyz/
  • hxxp://warnger[.]xyz/c2conf
  • hxxp://warnger[.]xyz/
  • hxxp://warnger[.]xyz/c2conf
  • hxxp://5.42.66[.]17/
  • hxxp://nursepridespan[.]fun/
  • hxxp://nursepridespan[.]fun/api
  • hxxp://paintpeasmou[.]fun/
  • hxxp://paintpeasmou[.]fun/api
  • hxxp://spreadbytile[.]fun/
  • hxxp://spreadbytile[.]fun/api
  • hxxp://willywilk[.]fun/api
  • hxxp://tfestv[.]fun/api
  • hxxp://hokagef[.]fun/api
  • hxxp://gonberusha[.]fun/api

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 3 votes
Article Rating
Notify of

Inline Feedbacks
View all comments

[…] post Warning Against Infostealer Infections Upon Executing Legitimate EXE Files (DLL Hijacking) appeared first on ASEC […]


[…] Running EXE infects the system, and they often have valid signatures, so always be cautious with cracked software, reads the ASEC report. […]


[…] Running EXE infects the system, and they often have valid signatures, so always be cautious with cracked software, reads the ASEC report. […]


[…] Running EXE infects the system, and they often have valid signatures, so always be cautious with cracked software, reads the ASEC report. […]


[…] Running EXE infects the system, and they often have valid signatures, so always be cautious with cracked software, reads the ASEC report. […]


[…] Operating EXE infects the system, they usually usually have legitimate signatures, so at all times be cautious with cracked software program, reads the ASEC report. […]


[…] Running EXE infects the system, and they often have valid signatures, so always be cautious with cracked software, reads the ASEC report. […]


[…] Running EXE infects the system, and they often have valid signatures, so always be cautious with cracked software, reads the ASEC report. […]

Ashish shivhare
29 days ago

I am freelance researcher