Nick Harbour wrote a post on Mandiants blog about some Malware that was using a dll called ‘fxsst.dll’ to hide and stay persistent on a system. The DLL is used by Windows when it is acting as a Fax server (anyone still do that?). He mentions some very interesting points:
The DLL gets loaded at login by Explorer The DLL exists in System32 but is looked for in Windows first Explorer doesn’t try to use anything inside of it via exports unless the system is acting as a fax server (aka safe to put a pretty bland DLL there) I thought… no it couldn’t be that simple… lets see:![]()
![]()
![]()
![]()
![]()
↧