Malware Attempted to Use Yandex Browser for Persistence in System
While investigating a failed targeted attack on an unnamed Russian freight rail operator, Doctor Web researchers discovered malware that attempted to exploit a vulnerability in Yandex Browser to gain persistence on a compromised system.
Attack Overview
In March 2024, specialists were contacted by representatives of a major Russian company in the freight rail industry. The company’s information security team had noticed a suspicious email with an attached file. Upon review, analysts concluded that the company narrowly avoided becoming the victim of a targeted attack. The attackers aimed to collect system information and deploy modular malware on the compromised machine.
Attack Chain
The attack began with a phishing email disguised as a job applicant’s resume. The email included an archive, supposedly containing a PDF questionnaire. In reality, the file had a “double” extension: .pdf.lnk. The true .lnk extension is used for shortcuts in Windows. The “Target” field can specify the path to any OS object—such as an executable file—and launch it with specific parameters.
In this attack, the shortcut silently launched the PowerShell command interpreter, which then downloaded two malicious scripts from the attackers’ website, each executing its own payload.
The first payload included a legitimate PDF file to distract the user and an executable named YandexUpdater.exe, masquerading as a Yandex Browser update component (the real component is called service_update.exe).
Distracting PDF and Trojan Dropper
The executable was a dropper for a trojan tracked by the company as Trojan.Packed2.46324. After checking whether it was running in an emulated environment or being analyzed with debugging tools, the dropper unpacked Trojan.Siggen28.53599 onto the compromised system.
This malware allows for remote control, collects system information, and can download additional modules. Notably, the trojan has anti-debugging features: if it detects antivirus, virtual machine, or debugger processes, it overwrites its file with zeros and deletes itself along with its folder.
The second payload consisted of another distracting PDF and the trojan Trojan.Siggen27.11306, a DLL with an encrypted payload.
Exploiting Yandex Browser DLL Search Order Vulnerability
This malware exploited a Yandex Browser vulnerability related to DLL Search Order Hijacking. In Windows, DLL files are libraries used by applications to store functions, variables, and interface elements. When an application starts, it searches for libraries in various locations in a specific order. Attackers can exploit this by placing a malicious library in a folder with high search priority.
The trojan was saved in a hidden folder at %LOCALAPPDATA%\Yandex\YandexBrowser\Application as Wldp.dll. This is the directory where Yandex Browser is installed and where it looks for required libraries at startup.
The legitimate Wldp.dll library, which ensures secure application launches, is a system file located in %WINDIR%\System32. Since the malicious DLL is placed in the browser’s installation folder, it is loaded first. The DLL then inherits all permissions of the main application: it can execute commands, create processes on behalf of the browser, and inherit firewall rules for internet access.
As a result, when the browser is launched, the malicious Wldp.dll decrypts its embedded payload. Decryption occurs twice: first using a key based on the hash of the DLL’s path, and then with a global key encoded in the trojan’s body.
The decrypted result is shellcode that allows a .NET application to run on the compromised system. This stager then downloads new malware from the internet.
At the time of the investigation, the file the loader tried to download was no longer available on the server, so the exact malware that would have been delivered remains unknown.
Vulnerability Disclosure and Patch
Researchers reported the Yandex Browser vulnerability to Yandex. As a result, Yandex released version 24.7.1.380 with a fix, and the vulnerability was assigned the identifier CVE-2024-6473.
Source
Onion Market – a free P2P exchange on Telegram!