DLL side-loading Attack Takes Advantage of Windows Search Order to Inject Malicious DLL

guest · Aug 24, 2021

DLL side-loading Attack Takes Advantage of Windows Search Order to Inject Malicious DLL
August 24, 2021
https://gbhackers.com/dll-side-loading-attack/

Dynamic-link library (DLL) side-loading is an increasingly popular cyberattack method that takes advantage of how Microsoft Windows applications handle DLL files.

In such attacks, malware places a spoofed malicious DLL file in a Windows’ WinSxS directory so that the operating system loads it instead of the legitimate file.
Click to expand...

DLL side-loading attack aims to take advantage of weak library references and the default Windows search order by placing a malicious DLL file masquerading as a legitimate DLL on a system, which will be automatically loaded by a legitimate program.

X-Force has observed, “DLL side-loading used by the Metamorfo banking Trojan, which drops malicious MSI files that extract a signed binary and a malicious DLL to execute a second-stage malware loader”.
DLL side-loading is being used by ransomware operators, which have leveraged DLL side-loading to execute the ransomware payload to evade detection by security products.
Click to expand...

Threat actors that have leveraged DLL side-loading rely on two behaviors:

Plant a signed executable in a target directory along with the malicious DLL.

Move a Windows executable from System32 or SysWow64 on the target machine to a non-standard directory and plant the malicious DLL within the same folder.

The analysis says that threat actors can evade detection using filename matching by renaming the binary executable, as the side-loading technique will remain viable regardless of the name of the executable.

X-Force set up data collection utilities to collect metadata from endpoints at scale. One of those utilities is SideLoadHunter, which will profile the endpoint for DLLs and executables within user profiles, System32 and SysWow64.
Click to expand...

IBM X-Force: Hunting for Evidence of DLL Side-Loading With PowerShell and Sysmon

Recently, X-Force Red released a tool called Windows Feature Hunter, which identifies targets for dynamic link library (DLL) side-loading on a Windows system using Frida. To provide a defensive counter-measure perspective for DLL side-loading, X-Force Incident Response has released SideLoaderHunter, which is a system profiling script and Sysmon configuration designed to identify evidence of side-loading on Windows systems.
Click to expand...

EASTER · Aug 24, 2021

Releases
No releases published

Rasheed187 · Aug 28, 2021

I have never understood how M$ was never able to fix DLL side loading, it's ridiculous. The good news is that a tool like HMPA does offer protection against this.

Log in or Sign up

DLL side-loading Attack Takes Advantage of Windows Search Order to Inject Malicious DLL

guest Guest

EASTER Registered Member

Rasheed187 Registered Member

Log in or Sign up

DLL side-loading Attack Takes Advantage of Windows Search Order to Inject Malicious DLL

guest Guest

EASTER Registered Member

Rasheed187 Registered Member

Useful Searches