Malware à la Mode Tracking Dropping Elephant Tradecraft Thro...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://rapid7.com/blog/post/tr-malware-tracking-dropping-elephant-tradecraft-china-themed-loader-chain
• Blog Title: Malware à la Mode: Tracking Dropping Elephant Tradecraft Through a China-Themed Loader Chain
• Suggested Section: Windows Hardening / Windows Local Privilege Escalation / DLL Hijacking and Antivirus Bypass; also relevant to Phishing Methodology / Phishing Files & Documents and Basic Forensic Methodology / Malware Analysis

🎯 Content Summary

Rapid7 Dropping Elephant loader-chain analysis

Rapid7 analyzed a Dropping Elephant campaign using a China energy-sector contract lure to deliver a heavily reworked Windows RAT. The activity does not exploit a CVE; it chains social engineering, malicious LNK execution, obfuscated PowerShell staging, scheduled-task persistence, DLL/CPL side-loading, encrypted on-disk payload storage, callback-based shellcode execution, Donut in-memory PE loading, AMSI/WLDP/ETW tampering, and an encrypted H...

🔧 Technical Details

Malicious LNK document impersonation: A Windows shortcut can impersonate a document and execute code while showing a believable lure. In this campaign, GRES3001.lnk masqueraded as a PDF, used conhost.exe as a proxy, and launched obfuscated PowerShell. Split-string tokens such as iw''r, g''c''i, r''e''n, c''p''i, and &(g''cm sch*) show how simple token fragmentation can bypass naive keyword detection while still resolving to normal PowerShell commands at runtime.

Decoy-first staging: The loader retrieves and opens a benign-looking document first, then stages malware in the background. This keeps the victim’s attention on the lure while the infection chain downloads additional payloads from attacker infrastructure such as chinagreenenergy[.]org.

Junk-extension staging and filename reconstruction: Payloads can be d...

🤖 Agent Actions

Done.

Updated:

• src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md

What I added:

• A new section on LNK decoy-first staging → scheduled-task persistence → trusted CPL side-loading
• Coverage of:
  • document-impersonating .lnk
  • split-token PowerShell obfuscation
  • junk-extension staging + filename reconstruction
  • scheduled-task persistence via gcm sch*
  • Fondue.exe + APPWIZ.cpl side-loading
  • callback-based shellcode execution via EnumUILanguagesW
  • concise hunting pivots
• Added the Rapid7 blog to the file’s References

Validation:

• Confirmed internal refs target existing files
• Confirmed ## References remains at the end
• mdbook build couldn’t be run because mdbook isn’t installed in this environment (mdbook: command not found)

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://rapid7.com/blog/post/tr-malware-tracking-dropping-elephant-tradecraft-china-themed-loader-chain

Content Categories: Based on the analysis, this content was categorized under "Windows Hardening / Windows Local Privilege Escalation / DLL Hijacking and Antivirus Bypass; also relevant to Phishing Methodology / Phishing Files & Documents and Basic Forensic Methodology / Malware Analysis".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0