SystemShock Loader Research
This is an interesting loader that I stumbled across when observing Fake Meeting Applications, such as fake googlemeets, zoom, and teams files.
The fake software all had odd certificate signers, and all were electron apps that appeared benign at first glance, but its the loaded DLLs that are the problem.
The naming of "SystemShock" comes from my observation that each DLL name started with System. These include:
- System.Cover.Lib.dll
- System.Spy.Lib.dll
- System.Filing.dll
- System.Fuling.Lib.dll
Research Focus
-
Loader chain analysis
Analysis focus includes unpacking, staged execution, embedded configuration, process behavior, and payload retrieval logic.
-
Obfuscation and configuration
Uses AES to decrypt resource files inside DLL .NET code. Extraction Tool
-
Detection
-
Related blog posts
SystemShock Loader posts and follow-on research can be found through the blog label page.