<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Bitdefender Submission Wizard - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/bitdefender-submission-wizard/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/bitdefender-submission-wizard/feed.xml" rel="self" type="application/rss+xml"/><item><title>Rundll32 Execution with Log.DLL</title><link>https://feed.craftedsignal.io/briefs/2024-01-rundll32-logdll/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-rundll32-logdll/</guid><description>Detects the execution of rundll32 with 'log.dll' as a command-line argument, indicative of Lotus Blossom Chrysalis backdoor activity and DLL sideloading attempts.</description><content:encoded><![CDATA[<p>This threat brief focuses on the abuse of <code>rundll32.exe</code> to execute malicious DLLs, specifically <code>log.dll</code>, a technique associated with the Lotus Blossom group's Chrysalis backdoor. The attacker places a rogue <code>log.dll</code> in a location such as <code>%AppData%\Bluetooth</code> and leverages <code>rundll32.exe</code> to invoke a specific function within the DLL (e.g., <code>LogInit</code>). This execution decrypts and runs shellcode. While some legitimate applications like the Bitdefender Submission Wizard also use <code>log.dll</code>, they are susceptible to DLL sideloading attacks, making this detection crucial for identifying malicious activity that bypasses traditional defenses. This campaign was first reported in 2026 and continues to be a relevant threat.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access, often through social engineering or exploiting software vulnerabilities (not specified in source).</li>
<li>A malicious <code>log.dll</code> is placed in a writable directory, such as <code>%AppData%\Bluetooth</code>, mimicking a legitimate DLL location.</li>
<li>The attacker uses <code>rundll32.exe</code> to execute the malicious <code>log.dll</code> with a specific function call (e.g., <code>rundll32.exe log.dll,LogInit</code>).</li>
<li><code>Rundll32.exe</code> loads and executes the <code>log.dll</code>.</li>
<li>The <code>LogInit</code> function in <code>log.dll</code> decrypts embedded shellcode.</li>
<li>The shellcode is injected into a legitimate process or executed directly, establishing persistence or escalating privileges.</li>
<li>The injected shellcode connects to a command-and-control (C2) server to download additional payloads or receive instructions.</li>
<li>The attacker performs actions on the compromised system, such as data exfiltration, lateral movement, or installing additional malware.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to complete system compromise, data theft, and the installation of persistent backdoors. The Lotus Blossom group has been known to target organizations across various sectors. The ability to bypass traditional security measures through DLL sideloading makes this a high-impact threat. Even legitimate software can become an attack vector.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Rundll32 Execution with Log.DLL</code> to detect malicious <code>rundll32.exe</code> executions using <code>log.dll</code> (logsource: process_creation).</li>
<li>Investigate any <code>rundll32.exe</code> process executions with <code>log.dll</code> as a command-line argument, especially when originating from unusual paths (Sigma rule <code>Rundll32 Execution with Log.DLL</code>).</li>
<li>Monitor for suspicious file creations or modifications in <code>%AppData%\Bluetooth</code> or other common DLL sideloading locations (logsource: file_event).</li>
<li>Implement application control policies to restrict the execution of <code>rundll32.exe</code> from untrusted locations.</li>
<li>Audit systems for DLL sideloading vulnerabilities in legitimate applications.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>rundll32</category><category>dll-sideloading</category><category>lotus-blossom</category><category>chrysalis-backdoor</category></item><item><title>Bitdefender Submission Wizard DLL Sideloading</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-bitdefender-dll-sideloading/</link><pubDate>Tue, 02 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-bitdefender-dll-sideloading/</guid><description>Detection of potential DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) via loading a malicious log.dll from a non-standard path.</description><content:encoded><![CDATA[<p>This threat brief addresses the potential DLL side-loading attack targeting Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe). The attack involves a malicious actor placing a rogue log.dll in a directory where the legitimate Bitdefender executable will load it, thus executing attacker-controlled code. This technique is associated with the Lotus Blossom group (G0065). The observed activity relies on exploiting the DLL search order to execute arbitrary code. Defenders should monitor for instances of BDSubmit.exe, bdsw.exe, or BluetoothService.exe loading log.dll from unexpected paths outside of standard installation directories such as &quot;Program Files&quot; or &quot;Windows\System32&quot;.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to the system (method unspecified in source).</li>
<li>The attacker identifies a vulnerable executable, such as BDSubmit.exe or bdsw.exe.</li>
<li>The attacker crafts a malicious log.dll.</li>
<li>The attacker places the malicious log.dll in the same directory as the Bitdefender executable, or in a directory that takes precedence in the DLL search order.</li>
<li>A user executes the legitimate Bitdefender Submission Wizard executable (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe).</li>
<li>The legitimate application attempts to load log.dll. Due to DLL side-loading, the malicious log.dll is loaded instead of the legitimate one.</li>
<li>The malicious log.dll executes attacker-controlled code within the context of the Bitdefender Submission Wizard process.</li>
<li>The attacker achieves code execution for persistence or privilege escalation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation through DLL side-loading allows attackers to execute arbitrary code within a trusted process. This can lead to privilege escalation, persistence, and potentially complete system compromise. Specific impacts include unauthorized access to sensitive data, installation of malware, and lateral movement within the network. The Lotus Blossom group has been known to use similar techniques to deploy backdoors.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Sysmon ImageLoad events (EventCode 7) to monitor DLL loading activity and ensure the Splunk Add-on for Sysmon is configured to parse them as described in the &quot;how_to_implement&quot; section.</li>
<li>Deploy the Sigma rule &quot;Bitdefender Submission Wizard DLL Sideloading&quot; to detect instances where log.dll is loaded from a non-standard path, and tune for your environment.</li>
<li>Investigate any alerts generated by the provided detection rule, focusing on the &quot;dest&quot; and &quot;User&quot; fields as described in the &quot;drilldown_searches&quot; section.</li>
<li>Monitor for the execution of BDSubmit.exe, bdsw.exe, or BluetoothService.exe from unusual locations or with unusual command-line arguments.</li>
<li>Review and harden DLL search order configurations to prevent side-loading attacks (T1574.002).</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>dll-sideloading</category><category>persistence</category><category>privilege-escalation</category><category>lotus-blossom</category><category>sysmon</category></item></channel></rss>