MemFun

They used Windows Management Instrumentation (WMI) and native Windows .NET commands to spread malware to domain controllers, web servers, IT workstations, and executive systems

The cybersecurity vendor said it detected the intrusion set after identifying suspicious PowerShell execution, allowing the script to enter into a sleep state for six hours and then create reverse shells to a threat actor-controlled command-and-control (C2) server.

The campaign leveraged Windows Management Instrumentation (WMI) and native Windows .NET commands to deploy malware across critical infrastructure, including domain controllers, web servers, IT workstations, and executive systems.

performed DLL hijacking by placing malicious DLL files inside the system32 directory, registering them through legitimate Windows services to blend in.

Attackers created new Windows services

The cyber spies maintained persistence on an unmanaged endpoint, using scripts to create reverse shells to multiple C2 servers.

MemFun is launched by means of a multi-stage chain: an initial loader injects shellcode responsible for launching an in-memory downloader... Subsequently, it injects the main payload into the memory of a suspended process associated with "dllhost.exe" using a technique referred to as process hollowing.

MemFun used timestomping, process hollowing into dllhost.exe, and reflective DLL loading to stay hidden

The downloader performs token impersonation to steal and impersonate logged-on user credentials, allowing it to inherit user proxy settings and bypass network restrictions

Attackers created new Windows services

The cyber spies maintained persistence on an unmanaged endpoint, using scripts to create reverse shells to multiple C2 servers.

MemFun is launched by means of a multi-stage chain: an initial loader injects shellcode responsible for launching an in-memory downloader... Subsequently, it injects the main payload into the memory of a suspended process associated with "dllhost.exe" using a technique referred to as process hollowing.

MemFun used timestomping, process hollowing into dllhost.exe, and reflective DLL loading to stay hidden

It runs entirely in memory, using process hollowing, reflective DLL loading, and anti-forensic techniques like timestomping and memory zeroing.

MemFun used timestomping, process hollowing into dllhost.exe, and reflective DLL loading to stay hidden

The downloader performs token impersonation to steal and impersonate logged-on user credentials, allowing it to inherit user proxy settings and bypass network restrictions

It launches dllhost.exe in a suspended state and decrypts an embedded shellcode payload using the XOR key 0x25.

To bypass automated security systems, some of the malware variants employ sandbox evasion tactics at runtime. These variants trigger delayed execution through sleep timers of 30 seconds (EXE) and 120 seconds (DLL), effectively outlasting the typical monitoring windows of automated sandboxes.

performed DLL hijacking by placing malicious DLL files inside the system32 directory, registering them through legitimate Windows services to blend in.

MemFun used timestomping, process hollowing into dllhost.exe, and reflective DLL loading to stay hidden

The MemFun in-memory downloader initializes with multiple evasion techniques, including the creation of a mutex named GOOGLE and anti-debug measures to evade analysis.

To bypass automated security systems, some of the malware variants employ sandbox evasion tactics at runtime. These variants trigger delayed execution through sleep timers of 30 seconds (EXE) and 120 seconds (DLL), effectively outlasting the typical monitoring windows of automated sandboxes.

The MemFun in-memory downloader initializes with multiple evasion techniques, including the creation of a mutex named GOOGLE and anti-debug measures to evade analysis.

They used a combination of Windows Management Instrumentation (WMI) and native Windows .NET commands to deploy malware to additional endpoints.

We observed highly selective searches for sensitive files related to: Official meeting records Joint military activities Detailed assessments of operational capabilities.

After gaining persistence, attackers collected highly sensitive files on military operations, organizational structure, and C4I systems.

running delayed execution scripts that connected back to multiple command-and-control (C2) servers.

They deployed two backdoors, AppleChris and MemFun, both using custom HTTP verbs and a dead drop resolver (DDR) via Pastebin to dynamically reach C2 servers.

They deployed two backdoors, AppleChris and MemFun, both using custom HTTP verbs and a dead drop resolver (DDR) via Pastebin to dynamically reach C2 servers.

which launched an in-memory downloader that fetched a final DLL payload from the C2 server.

the shellcode implements another anti-forensics measure: zeroing the first 4 KB of allocated memory, to erase DOS and PE headers. This makes the loaded module invisible to memory analysis tools that rely on header signatures.