Sophos X-Ops (@SophosXOps@infosec.exchange)
By Sophos X-Ops
Published: 2023-09-22 · Archived: 2026-04-05 15:30:02 UTC
Sophos X-Ops @SophosXOps@infosec.exchange
In mid-August, the Sophos X-Ops Incident Response team was brought in to address a cyber incident impacting a
telecommunications company. Shortly after, when the customer was onboarded to Sophos MDR services, a
detection was generated for a service creation for the Cloudflared tunneling service from a suspicious path. The
resulting investigation led Sophos MDR Ops analysts and SophosLabs researchers to uncover a backdoor
leveraging a loading function similar to that previously seen within the TinyTurla backdoor.
https://infosec.exchange/@SophosXOps/111109357153515214
Page 1 of 8

Sophos X-Ops @SophosXOps
Evidence indicates the backdoor had been present in the environment since at least June 2022, as a DLL
masquerading as a legitimate SMP host service (smpsvc.dll). The registry entry for the ‘smphost’ service was set
with a value of ‘2’ for autostart, allowing the backdoor to auto-execute without threat actor interaction.
https://infosec.exchange/@SophosXOps/111109357153515214
Page 2 of 8

Sophos X-Ops @SophosXOps
On September 12th of this year, Sophos observed the execution of the ‘smphost’ service hidden in the svchost.exe
process to load the malicious DLL smpsvc.dll and execute attacker commands. The malicious DLL is covered by
Sophos under the Troj/Inject-JCX detection.
https://infosec.exchange/@SophosXOps/111109357153515214
Page 3 of 8

Sophos X-Ops @SophosXOps
The observed overlap between TinyTurla and the sample analyzed by Sophos is that both samples load and
execute as a service hidden within the svchost.exe process. However, instead of using the technique noted by
Talos, where the TinyTurla backdoor came in the form of a new, fake service DLL named 'Windows Time
Service,' the threat actors in this case modified the registry entry for the legitimate smphost service DLL to point
to the malicious smpsvc.dll carrying the backdoor.
https://infosec.exchange/@SophosXOps/111109357153515214
Page 4 of 8

Sophos X-Ops @SophosXOps
The smphost.dat we saw contains heavily obfuscated data, lacks a PE header and section names, and is used to
build the official payload in memory (sha1: c926808667352ff9e0b2f0550965a0864814e3cd). The C2 domain,
hxxps[://]cache[.]chartbaet[.]com/static/cache/, is XOR encoded (0x83) and leverages the user agent [Mozilla/5.0
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63
Safari/537.36].
https://infosec.exchange/@SophosXOps/111109357153515214
Page 5 of 8

Sophos X-Ops @SophosXOps
https://infosec.exchange/@SophosXOps/111109357153515214
Page 6 of 8

This sample leverages a UUID that is XORed with file time and system time to generate the unique C2 URL, as
shown. The final payload downloaded is injected into process memory and applies API call obfuscation to further
avoid detection. (“chartbaet.com” is unrelated to the legitimate Chartbeat software site.)
Sophos X-Ops @SophosXOps
Shortly after the backdoor established C2 communications, Sophos observed a likely DCSync attack to retrieve
user credentials (shown) and saw discovery performed via Impacket.
https://infosec.exchange/@SophosXOps/111109357153515214
Page 7 of 8

Sophos X-Ops @SophosXOps
The actor then extracted the file 'c.cab' and executed compressed file c.part01.rar. The c.cab file created
C:\Windows\Temp\cloudflared.exe and a new service called 'SRService' on the hosts. The service creation is for
the execution of 'C:\Windows\System32\downlevel\ShellExperienceHost.exe,' which was detected by the Sophos
MDR team.
Source: https://infosec.exchange/@SophosXOps/111109357153515214
https://infosec.exchange/@SophosXOps/111109357153515214
Page 8 of 8