• WRAVEN
  • Posts
  • Malware Report: GhostSpider

Malware Report: GhostSpider

Learn about Chinese malware from the APT "SaltTyphoon"

AuthorAuthor

WRAVEN Team & Lochlan McElroy
February 26, 2025

WRAVEN Malware Report: GhostSpider

Overview

Malware Name: GhostSpider
Attribution: Salt Typhoon (Suspected APT Group)
Primary Target: Windows Systems
Analysis Date: 02/06/2025

Summary

GhostSpider is a Windows-based malware sample that appears to be part of an ongoing campaign by Salt Typhoon, an advanced persistent threat (APT) group. The malware was analyzed through Joe Sandbox, AnyRun, & Virustotal, revealing indicators of DLL side-loading, sandbox evasion, process injection, and credential theft techniques.

The malware, disguised as WINMM.dll, attempts to load through legitimate Windows processes to evade detection and persist on infected systems. This report outlines its key functionalities, tactics, and indicators of compromise (IOCs).

Technical Analysis

General Information

Sample Name: 
WINMM.dll
MD5:
8bd8506f6b1a80eea68e877fa81e267c
SHA-1:
b5367820cd32640a2d5e4c3a3c1ceedbbb715be2
SHA-256: fc3be6917fd37a083646ed4b97ebd2d45734a1e154e69c9c33ab00b0589a09e5
File Type:
PE32 DLL (32-bit)
File Size:
3,584 bytes

Step-by-Step Execution Breakdown

  1. Delivery & Execution: The malware (WINMM.dll) is placed in a location where it can be loaded by a legitimate Windows process, usually through DLL side-loading.

  2. Execution via rundll32.exe: The malware tricks Windows into executing it by using the rundll32.exe process, which is commonly used to run DLL files.

  3. Process Injection: Once running, the malware injects its code into other processes like loaddll32.exe and cmd.exe to blend in and avoid detection.

  4. Evasion Techniques: It checks if it's running in a sandbox or virtualized environment and may halt execution to avoid being analyzed.

  5. Credential Theft: The malware attempts to dump credentials from LSASS (Local Security Authority Subsystem Service), which stores user login information.

  6. Persistence: It sets up scheduled tasks or registry entries to ensure it runs even after a reboot.

  7. Potential Data Exfiltration: While no outbound connections were observed in this analysis, the malware likely has mechanisms for stealing data via alternative methods (e.g., removable media, Bluetooth).

Behavioral Analysis

Execution & Evasion

  • Executed via rundll32.exe (common in DLL side-loading attacks)

  • Process injection detected in loaddll32.exe, cmd.exe, and rundll32.exe

  • Virtualization and sandbox detection mechanisms prevent execution in controlled environments

  • OS Credential Dumping was attempted, targeting LSASS memory

Persistence Mechanisms

  • DLL Side-Loading: Exploits the way Windows loads DLLs, allowing it to run under trusted processes

  • Scheduled Task/Job Creation: Possible mechanism for long-term persistence

Network & Exfiltration

  • No direct outbound connections were observed in this analysis, but the malware is suspected to leverage alternate data transfer mechanisms

  • Potential for exfiltration over Bluetooth and removable media

MITRE ATT&CK Techniques Observed

  • Execution: Rundll32 Execution (T1218.011)

  • Persistence: DLL Side-Loading (T1574.002)

  • Defense Evasion: Virtualization/Sandbox Evasion (T1497)

  • Credential Access: LSASS Memory Dumping (T1003.001)

  • Discovery: Security Software Discovery (T1518.001)

  • Exfiltration: Junk Data Exfiltration (T1020)

Indicators of Compromise (IOCs)

File Hashes

fc3be6917fd37a083646ed4b97ebd2d45734a1e154e69c9c33ab00b0589a09e5 (SHA-256)

b5367820cd32640a2d5e4c3a3c1ceedbbb715be2
(SHA-1)

8bd8506f6b1a80eea68e877fa81e267c
(MD5)

Suspicious Processes

  • loaddll32.exe

  • rundll32.exe

  • cmd.exe

  • WerFault.exe  (potential misuse for persistence)

Dropped Files

  • C:\ProgramData\Microsoft\Windows\WER\Temp\WER*.tmp.dmp

  • C:\Windows\appcompat\Programs\Amcache.hve

Recommendations

  1. Monitor for Side-Loading Behavior: Use behavioral monitoring tools to detect unauthorized DLL loads.

  2. Limit Rundll32 Usage: Block unnecessary execution of rundll32.exe from untrusted sources.

  3. Enhance Credential Protection: Implement LSASS protection mechanisms to prevent memory dumping.

  4. Deploy Threat Intelligence Feeds: Continuously update detection rules to track evolving APT tactics.

  5. Network Segmentation: Restrict unauthorized access and potential lateral movement within the network.

GhostSpider is an evasive malware strain employed by Salt Typhoon, leveraging DLL side-loading, process injection, and credential theft techniques. While this analysis did not detect active C2 communication, the malware’s ability to evade detection and persist makes it a significant threat. Organizations should adopt proactive defense mechanisms, including endpoint monitoring, application whitelisting, and enhanced logging to mitigate risks associated with this malware.

Report by: WRAVEN Malware Research Team
Authors: Lochlan McElroy
Help from: Fin Burns, Talon Nowicki, Bryant Quintana, Elijah Steinman, Austin Quakenbush
Contact: [email protected]
Date: February 7, 2025