Potential Raspberry Robin Aclui Dll SideLoading

    Monday, August 5, 2024 In: Threat Research Print

    Date: 08/05/2024

    Severity: Medium 

    Summary

    "Potential Raspberry Robin Aclui DLL SideLoading" refers to a technique used by the Raspberry Robin malware or threat actor involving DLL sideloading. In this context, DLL sideloading is a method where malicious actors place a harmful DLL file in a location where a legitimate application (like Aclui.dll) will load it instead of the genuine file. This can exploit the way Windows handles dynamic link libraries to execute malicious code. The term "Aclui DLL" relates to a specific DLL file used by Windows for managing user access control interfaces, and if sideloaded with malicious code, it could compromise system security.

    Indicators of Compromise (IOC) List

    ImageLoaded

    aclui.dll

    Image 

    OleView.exe

    Program Files (x86)\Windows Kits

    Program Files\Microsoft SDKs

    Windows Resource Kit

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    ((resourceName = "Sysmon"  AND eventtype = "7"  ) AND imageloaded = "aclui.dll") AND image in ("OleView.exe","Program Files (x86)\Windows Kits","Program Files\Microsoft SDKs","Windows Resource Kit")

    Detection Query 2

    ((technologygroup = "EDR" ) AND imageloaded = "aclui.dll") AND image in ("OleView.exe","Program Files (x86)\Windows Kits","Program Files\Microsoft SDKs","Windows Resource Kit")

    Category: Sigma

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Malware/Raspberry-Robin/image_load_malware_raspberry_robin_side_load_aclui_oleview.yml

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.