A new wave of cyber attacks utilizing a rare technique known as AppDomainManager Injection has been observed by the threat research team of Japanese telecom giant NTT since July 2024.

AppDomainManager Injection was first publicly discussed in 2017, followed by some proof-of-concept (PoC) code and explanatory blogs. The technique leverages the .NET Framework's version redirection and the AppDomainManager class to inject malicious code, which is executed when the targeted application loads.

The observed attack campaign involved two primary scenarios. In the first, the attackers set up a malicious website from which unsuspecting users downloaded a ZIP file. In the second, a spear-phishing email contained an attached ZIP file. In both cases, the ZIP file included a malicious MSC (Microsoft Management Console) file, and the attack was triggered when the user opened the file.

While attacks involving MSC files have been documented previously, this campaign leveraged a method known as GrimResource, which eliminates the need for users to click on a link within the MSC file.

The malicious MSC file used in the attack was disguised as a Windows certificate file or a PDF. Once executed, the MSC file used GrimResource to exploit apds.dll, running obfuscated JavaScript code that ultimately executed VBScript. The VBScript downloaded four files and executed oncesvc.exe, a legitimate Microsoft-signed binary with a modified filename.

The oncesvc.exe binary itself was not modified; however, it was accompanied by a configuration file (oncesvc.exe.config) that contained a setting called dependentAssembly. This allowed the application to load an external DLL file, which the attacker used to execute malicious behavior.

The external DLL file defined a class inheriting from AppDomainManager, and within this class, the InitializeNewDomain function was called to carry out the attack. This technique, known as AppDomainManager Injection, can be used across a wide range of .NET Framework applications, the researchers said.

In this attack, the ultimate payload was a CobaltStrike beacon, a tool often used by advanced persistent threat (APT) groups for command-and-control purposes. Analysis of the loaders and infrastructure used in the campaign revealed similarities to techniques linked to the China-affiliated APT41 group.

Further investigation suggests that the attacker may have targeted government agencies in Taiwan, military organizations in the Philippines, and energy companies in Vietnam—all countries bordering the contentious South China Sea. Additionally, a similar attack was reported by AhnLab, where a decoy document related to Japan's defense capabilities was used, indicating that the scope of targets may expand.