Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

DLL Side-Loading

Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests [1] are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL. [2]

Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.

ID: T1073

Tactic: Defense Evasion

Platform:  Windows

Data Sources:  Process use of network, Process monitoring, Loaded DLLs

Defense Bypassed:  Process whitelisting, Anti-virus

Version: 1.0

Examples

NameDescription
APT19

APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.[3]

APT3

APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.[4][5]

APT32

APT32 ran genuinely-signed executables from Symantec and McAfee which loaded a malicious DLL called rastls.dll.[6]

BADNEWS

BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.[7][8]

BBSRAT

DLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable ssonsvr.exe which is vulnerable to the technique. The Citrix executable was dropped along with BBSRAT by the dropper.[9]

FinFisher

FinFisher uses DLL side-loading to load malicious programs.[10][11]

gh0st

A gh0st variant has used DLL side-loading.[12]

HTTPBrowser

HTTPBrowser has used DLL side-loading.[13]

menuPass

menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.[14][15]

OwaAuth

OwaAuth has been loaded onto Exchange servers and disguised as an ISAPI filter (DLL file). The IIS w3wp.exe process then loads the malicious DLL.[13]

Patchwork

A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.[16]

PlugX

PlugX has used to use DLL side-loading to evade anti-virus and to maintain persistence on a victim.[5][13][2][14][17]

Sakula

Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.[18]

T9000

During the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.[19]

Threat Group-3390

Threat Group-3390 actors have used DLL side-loading. Actors have used legitimate Kaspersky anti-virus variants in which the DLL acts as a stub loader that loads and executes the shell code.[13][20][21]

Wingbird

Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.[22][23]

ZeroT

ZeroT has used DLL side-loading to load malicious payloads.[24][25]

Mitigation

Update software regularly. Install software in write-protected locations. Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.

Detection

Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track DLL metadata, such as a hash, and compare DLLs that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.

References