Rare‑Earth Bait: Technical Analysis of a Shellcode Loader

Overview

On 2025‑11‑21 the Malware Hunter Team uploaded a ZIP named

China’s Governance of Rare Earths and its Global Implications.zip

to VirusTotal. The archive contains a password‑protected PDF and an executable SecurityKey.exe.

Bait Analysis – Rare‑Earth Topic

Entering the password 202511 unlocks a PDF dated August 2025 titled “China’s Governance of Rare Earths and its Global Implications”, published by the S. Rajaratnam School of International Studies (RSIS). The paper’s geopolitical relevance makes it an effective social‑engineering lure.

Loader Mechanism: From Password Prompt to Code Execution

SecurityKey.exe

first shows the PDF password, then allocates a PAGE_EXECUTE_READWRITE (RWX) region, copies shellcode embedded in the .rdata section to the new buffer, and invokes it via a function‑pointer call.

Downloader Shellcode – PEB Traversal and API Hashing

The shellcode is position‑independent. It walks the Process Environment Block (PEB) to obtain the base address of ntdll.dll, avoiding the monitored GetModuleHandle API. It then resolves required functions in kernel32.dll and ntdll.dll using a pre‑computed API hash.

Modified FNV‑1a Hash Algorithm

The sample employs a custom 32‑bit FNV‑1a variant. The offset basis is changed to 0xBA52D5C7 (3126136263) and the prime to 0xFF6E53 (16737619). This alteration evades signatures that target the standard FNV‑1a constants.

Payload Download and Infrastructure Impersonation

After resolving wininet.dll functions, the shellcode downloads a second‑stage payload from www.global-reia[.]com/image-directory/da.mp3. The domain mimics the legitimate Rare Earth Industry Association (REIA) site ( global-reia.org), using a .com TLD and an .mp3 path to disguise the malicious file.

Fiber Execution – An Unconventional Shellcode Scheduler

The downloaded payload is placed in another RWX buffer and executed via Windows fibers. The technique uses four APIs: VirtualAlloc, ConvertThreadToFiber, CreateFiber, and SwitchToFiber. Because fiber creation and switching occur entirely in user‑mode, they bypass typical EDR hooks that monitor thread‑creation APIs such as CreateThread, NtCreateThreadEx, or CreateRemoteThread. Similar fiber‑based execution has been reported in Trend Micro’s TESDAT loader and Ghost shellcode loaders.

Attribution Discussion

The observed techniques—PEB traversal, modified FNV‑1a hashing, and fiber execution—are common in modern shellcode and do not point to a specific APT group. Geopolitical context (2025 China‑US rare‑earth export talks, Singapore‑China cyber‑activity accusations) provides background but no concrete attribution.

Summary and Defense Recommendations

The attack chain combines a high‑value geopolitical bait with a password‑prompted executable, a custom downloader, domain impersonation, and fiber‑based payload execution. Recommended detection points include:

File‑level : ZIPs that contain both a password‑protected document and an executable claiming to “unlock” it.

Behavioral : Processes that allocate RWX memory and subsequently call SwitchToFiber. Normal applications rarely exhibit this combination.

Network : Communications with domains that typo‑squat well‑known organizations (e.g., REIA) and download content disguised as .mp3 or .png files.

Hash‑constant hunting : Look for the modified FNV‑1a parameters 3126136263 and 16737619 in shellcode samples.

IOCs

ZIP SHA‑256:

818dbb421dcb451e41e266be43cfe238dd88c5ac6ce34622f85a9e67551c7583

SecurityKey.exe SHA‑256:

87dd99cb495afb0e3705ff762dfde2da8bc3c3986ba5f84d1df8624aa2e117c2

Embedded shellcode SHA‑256:

365cb5c973b7caa106dc112de3e084130ba8c13ae9388d20e5d267a19686b2f7

PDF SHA‑256:

037d5d2662a773ecf2f061ffdf1fc0cd6749bcbb3e2bb5bbbaa4a99666d6403e

Domain: www.global-reia[.]com/image-directory/da.mp3 IP:

45.93.8[.]97