SvchostVNCInjector
ReflectiveLoader export + x64 DLL injecting svchost.exe with VNC module (Vnc_MT). It is run through the MapDLL export function. svchost.exe is found with CreateToolhelp32Snapshot, and the DLL is loaded into memory with CreateFileMappingW + MapViewOfFile. Cobalt Strike resembles BOF architecture. Implant providing remote desktop access (VNC).
Threat Profile
Type
RAT
Programming LanguageC/C++
C2 Protocolcustom
First Seen2024
Targets
Kurumsal
Purpose / Capabilities
- Remote Desktop/Process Injection/VNC
No C2 servers have been identified for this family yet.
Research Reports (1)
SvchostVNCInjector 16278643 -- ReflectiveLoader MapDLL VncMT svchost-inject CreateToolhelp32Snapshot Process32FirstW CreateFileMappingW MapViewOfFile IsWow64Process | Kritik
SvchostVNCInjector out.dll 439KB. Export: SvchostInjector.x64.dll::MapDLL. ReflectiveLoader. Vnc_MT. CreateToolhelp32Snapshot svchost.exe. MapViewOfFile. Cobalt Strike BOF benzeri.
Read Report →