Full Report
Thai government officials have emerged as the target of a new campaign that leverages a technique called DLL side-loading to deliver a previously undocumented backdoor dubbed Yokai. "The target of the threat actors were Thailand officials based on the nature of the lures," Nikhil Hegde, senior engineer for Netskope's Security Efficacy team, told The Hacker News. "The Yokai backdoor itself is not
Analysis Summary
# Threat Actor: Unspecified APT targeting Thai Officials (Leveraging Yokai Backdoor)
## Attribution & Identity
The actor is currently **unattributed** specifically, but the targeting strongly suggests a state-sponsored or politically motivated group focused on Thai internal or international affairs. The campaign involves the deployment of a previously undocumented backdoor dubbed **Yokai**.
## Activity Summary
The primary campaign detailed focuses on targeting **Thai government officials** using document lures related to a high-profile Thai national wanted in the US (Woravit Mektrakarn). The attackers utilize a multi-stage process involving LNK files dropped from RAR archives, leading to the deployment of the Yokai backdoor.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Use of RAR archives containing LNK files disguised as PDF/DOCX documents relating to legal matters.
- **Execution:** Double-clicking the LNK file opens the decoy documents while stealthily dropping a malicious executable.
- **Defense Evasion/Persistence:** Exploitation of **DLL side-loading** technique by abusing a legitimate binary (`IdrInit.exe` associated with iTop Data Recovery) to load a malicious DLL (`ProductStatistics3.dll`).
- **Execution:** The deployed Yokai backdoor connects to C2, receives command codes, and executes arbitrary shell commands via spawning `cmd.exe`.
## Targeting
- Sectors: Government/Officials
- Geography: Thailand (Primary target confirmed by lures)
- Victims: Thai government officials
## Tools & Infrastructure
- **Malware families used:** Yokai (Undocumented Backdoor)
- **Associated Components:** `IdrInit.exe` (legitimate binary abused for side-loading), `ProductStatistics3.dll` (malicious DLL), DATA file (containing C2 information).
- **Infrastructure (C2, domains, IPs):** Information regarding specific C2 domains or IPs was not detailed, only that Yokai communicates with an "attacker-controlled server."
## Implications
This campaign demonstrates sophisticated evasion techniques (DLL side-loading) employed against sensitive government targets in Thailand. The use of highly specific, politically charged lures suggests targeted intelligence gathering or disruptive operations against specific Thai government operations or personnel. The backdoor (Yokai) is noted to be multipurpose and could be used against other targets once initial access is gained.
## Mitigations
- Enhance monitoring and detection for the abuse of legitimate iTop Data Recovery components (`IdrInit.exe`) loading unsigned dynamic link libraries.
- Review email filtering and user training to defend against spear-phishing attempts utilizing RAR archives containing LNK files, especially those using locally relevant language lures (Thai in this case).
- Implement robust application control to restrict the execution of unrecognized or suspicious executables dropped by shortcut files.
***
*Note: The article mentions other unrelated threat activities (NodeLoader and Remcos RAT campaigns). These have been omitted as the primary focus was on the threat actor deploying the Yokai backdoor against Thai officials, as per the context instruction to summarize the threat actor information.*