A wave of attacks that began in July 2024 relies on a less common technique called AppDomain Manager Injection, which can weaponize any Microsoft .NET application on Windows.

The technique has been around since 2017, and several proof-of-concept apps have been released over the years, but it is typically used in red team operations and is rarely seen in malicious attacks because defenders do not actively monitor it.

NTT’s Japanese office has tracked attacks that ended with the deployment of a CobaltStrike beacon targeting government agencies in Taiwan, the military in the Philippines and energy companies in Vietnam.

Tactics, techniques and procedures, as well as infrastructure overlaps with recent reports from AhnLab and other sources, suggest that the Chinese state-sponsored threat group APT 41 is behind the attacks, although this attribution is not very reliable.

AppDomain Manager Injection

Similar to traditional DLL side-loading, AppDomainManager injection uses DLL files to achieve malicious goals on infected systems.

However, AppDomainManager Injection uses the .NET Framework’s AppDomainManager class to inject and execute malicious code, making it more stealthy and versatile.

The attacker prepares a malicious DLL that contains a class inherited from the AppDomainManager class and a configuration file (exe.config) that redirects the loading of a legitimate assembly to the malicious DLL.

The attacker only needs to place the malicious DLL and configuration file in the same directory as the target executable and does not need to match the name of an existing DLL, as is the case with side-loading DLLs.

When the .NET application runs, the malicious DLL is loaded and its code is executed in the context of the legitimate application.

Unlike DLL sideloading, which is easier to detect by security software, AppDomainManager injection is harder to detect because the malicious behavior appears to come from a legitimate, signed executable.

GrimResource attacks

The attacks observed by NTT begin with the delivery of a ZIP archive to the target containing a malicious MSC (Microsoft Script Component) file.

When the target opens the file, malicious code is executed immediately, without any further user interaction or clicks, using a technique called GrimResource, which was detailed by Elastic’s security team in June.

GrimResource is a novel attack technique that exploits a cross-site scripting (XSS) vulnerability in Download Windows library for executing arbitrary code through the Microsoft Management Console (MMC) using specially crafted MSC files.

This technique allows attackers to execute malicious JavaScript, which in turn can execute .NET code using the DotNetToJScript method.

The MSC file in the recent attacks observed by NTT creates a exe.config File in the same directory as a legitimate, signed Microsoft executable file (e.g. Download).

This configuration file redirects the loading of certain assemblies to a malicious DLL that contains a class inherited from the .NET Framework’s AppDomainManager class and is loaded instead of the legitimate assembly.

Ultimately, this DLL executes malicious code in the context of the legitimate and signed Microsoft executable, completely evading detection and bypassing security measures.

The final phase of the attack involves loading a CobaltStrike beacon onto the machine, which the attacker can use to perform a wide range of malicious actions, including injecting additional payloads and lateral movement.

While it is not certain whether APT41 is responsible for the attacks, the combination of AppDomainManager Injection and GrimResource techniques suggests that the attackers have the technical know-how to combine new and lesser-known techniques in practice.