Elastic Security Labs share details about the SADBRIDGE loader and GOSAR backdoor, malware used in campaigns targeting Chinese-speaking victims.

Introduction

Key takeaways

REF3864 Campaign Overview

SADBRIDGE Introduction

SADBRIDGE Code Analysis

MSI Analysis

x64bridge.dll Side-loading

HealthServiceRuntime.dll

DevQueryBroker.log

Stage 1 Injection (explorer.exe)

Stage 2 Injection (spoolsv.exe/lsass.exe)

DevQueryBrokerService.log

DevQueryBrokerPre.log

GOSAR Injection

GOSAR Introduction

GOSAR Code Analysis Overview

Code structure of GOSAR

New Additions to GOSAR

Communication and information gathering

Services

KeyLogger

ClipboardLogger

TickWriteFile

Networking setup

ConfigFirewallRule

ConfigHosts

ConfigAutoListener

Logs

Plugins

HVNC

Screenshot

Observation

New functionality

Malware and MITRE ATT\&CK

Tactics

Techniques

Mitigating REF3864

Detection

Prevention

YARA

Observations

References

Appendix

AV products checked in GOSAR 

Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite

Elastic Security Labs breaks down bypass implementations from the infostealer ecosystem’s reaction to Chrome 127's Application-Bound Encryption scheme.

Google Chrome Cookie Security

STEALC/VIDAR

METASTEALER

PHEMEDRONE

XENOSTEALER

LUMMA

Cookies access by an unusual process

Chrome Browser Spawned from an Unusual Parent

Untrusted Binaries from Chrome Application folder

Unsigned DLLs loaded from google chrome application folder

Unsigned executable launched from google chrome application folder

Stealer Bypasses and MITRE ATT&CK

Katz and Mouse Game:  MaaS Infostealers Adapt to Patched Chrome Defenses

Author

Jia Yu Chan

Articles

Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite

Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses