Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED
PoC Report
DLL Hi
ja
ck – PoC R
epo
rt
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 18 Au
g
ust 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
UNCLASSIFIED
1.0 (U) Analysis Summary
(U) The PlugX Remote Access Tool (RAT) contains functionality to perform a DLL Hijack
against a few targets. Further research into PlugX included the following additional EXEs that
unsafely load DLLs.
(U) Figure 1: Additional susceptible DLLs
(U) In each of these instances, the executable attempts to load a DLL after downloading without
verifying its integrity (e.g., via signing).
(U) Ultimately, we found the McAfee technique to be invalid for loading mcutil.dll. The
directories that contain mcutil.dll appear to have protection above the standard Windows Access
Control Lists (ACLs) that protect other directories. These additional techniques prevent the
replacement of mcutil.dll. Even after lifting the filter on the directories, none of the executables
tested loaded mcvsmap.exe.
(U) With respect to RASTLS.exe, we were not only unable to find a Symantec-attributed EXE
with this name, but we were unable to find any EXE on the system with this name. A DLL with
this name was found in the C:\Windows\SysWOW64 directory, but we are uncertain what its
purpose is.
(U) The latest Nvidia Graphics Driver was downloaded and extracted, but did not contain the
NvSmart.exe file.
2.0 (U) Description of the Technique
2.1 McAfee
(U) After running a search for the affected DLL (mcutil.dll), the follow locations were
found to contain the file.