Signed DLL campaigns as a service


By: Jason Reaves and Joshua Platt

Recently an actor has begun using a technique of embedding VBScript data at the end of Microsoft signed DLLs in order to GPG decrypt and then detonate payloads. While writing up our research another article was released on this by CheckPoint[7][8] but we felt there are enough pieces from our own research that can add to the story.

This concept has been talked about before using various files and is normally referred to as ‘Polyglotting’, for example lnk files[…

Read More