Qt5Network.dll: Sideloaded by Spoofed Acronis syncagentsrv.exe

[mbabinski]

This entry attempts to describe the DLL sideloading technique laid out in this report from Cyble from December 2024: https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/.

Please let me know if it looks ok or needs changes. Thanks for maintaining this interesting and helpful resource!

[wietze]

Hi Micah, thanks for this contribution! One question on the hash from me, otherwise looks good.

[wietze]

Is this SHA correct? It does not seem to belong to an Acronis product

[mbabinski]

Hi Wietze, thanks for the review. Yeah, I was confused by this. The report mentions that Qt5Network.dll was loaded by syncagentsrv.exe, a legitimate application. But it doesn't provide the EXE hash. A quick google search reveals that this EXE name is part of an Acronis product. So I recorded the vendor of the product which the malicious zipfile was likely trying to mimic. When I looked up the zipfile which contained the EXE and DLL in VT, I can see that the syncagentsrv.exe was actually the file represented by the hash I provided in the PR: https://www.virustotal.com/gui/file/6f7f390b2012e7dfef9fcbd673a4a0256e2e217b11831e9a27a9d460ba57c0d2.

Based on what little I have found on the actual EXE used in the attack, a renamed copy of PasswordChanger.exe (Active@ Password Changer by LSoft Technologies), this would normally be located in:

• %PROGRAMFILES%\LSoft Technologies\Active@ Password Changer\PasswordChanger.exe
• %PROGRAMFILES%\Active Data Recovery Software\Active Password Changer\PasswordChanger.exe or possibly
• %PROGRAMFILES%\LSoft Technologies\Active@ Data Studio\PasswordChanger.exe

Should I update the submission to be geared toward Active@ Password Changer?

Thanks again!

[wietze]

One more comment: if sideloading is used, aren't qt5network and syncagentsrv.exe expected to be located in the same location?