Novel Rorschach Ransomware Abuses Cortex XDR for Stealthy DLL Side-Loading


April 4, 2023

World map

Researchers provided analysis of a new ransomware strain with "technically unique features," which they dubbed “Rorschach.”

“Among the capabilities observed is the encryption speed, which, according to tests from the researchers, would make Rorschach the fastest ransomware threat today,” Bleeping Computer reported.

“Rorschach was deployed using the DLL side-loading technique via a signed component in Cortex XDR, the extended detection and response product from Palo Alto Networks.”

Takeaway: While the Rorschach ransomware's fast encryption speed is incredibly interesting and garnering lots of attention, it's not the most interesting feature evaluated in the analysis.

"With fast encryption, once the ransomware payload is delivered and the operation is exposed, responders have less time to intervene," Jon Miller, CEO and co-founder of Halcyon, told SCMagazine. "RaaS providers tout their encryption speed to attract affiliate attackers, and it definitely makes this ransomware strain one to watch. "

What stands out even more to Miller is that Rorschach displays advanced security evasion capabilities to make payload delivery undetectable, which is far more concerning than the fast encryption speed.

"It is more interesting to learn that the DLL side-loading delivery abusing the Cortex XDR Dump Service Tool because this is a legitimate, digitally signed security product. This technique leverages vulnerable software to load malicious DLLs that provides persistence and evasion capabilities," Miller told Computer Weekly.

"DLL-sideloading is not new, but it is somewhat rare. It was similarly deployed by the threat actors REvil in the infamous 2021 Kaseya ransomware attack, targeting a managed service provider to deploy a ransomware payload in a supply chain attack. As we saw in the case of Kaseya, downstream victims were compromised by a legitimate software update from a known vendor that was signed with a valid digital certificate," Miller continued.

"All the security hygiene in the world is not going to prevent a legitimate application from executing the malicious payload in this kind of attack. Thus, operational resilience is key."

Detecting DLL side-loading attacks is tricky, but SOC analysts can look for any unsigned DLLs within executable files, or for any suspicious loading paths and timestamps that show gaps between the compilation time for the executable and DLL loading time. Every executable has a timestamp for when it was compiled. If that timestamp is significantly different than the loaded DLLs, this could indicate a malicious payload.

The attackers can make this even more difficult by using timestomping techniques to modify the timestamps. Luckily, it does not look like this is the case with this first iteration of Rorschach. Furthermore, the paths for legitimate executables generally include clear references to a product name, where a malicious DLL may have a generic path name, so analysts can look for these clues as well. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.