DLL Side-Loading

Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests [1] are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL. [2]

Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.

ID: T1073
Tactic: Defense Evasion
Platform: Windows
Data Sources: Process use of network, Process monitoring, Loaded DLLs
Defense Bypassed: Process whitelisting, Anti-virus
CAPEC ID: CAPEC-641
Version: 1.0

Procedure Examples

Name Description
APT19

APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.[24]

APT3

APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.[26][10]

APT32

APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).[19][27][28]

APT41

APT41 used legitimate executables to perform DLL side-loading of their malware. [31]

BADNEWS

BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.[3][4]

BBSRAT

DLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable, ssonsvr.exe. The Citrix executable was dropped along with BBSRAT by the dropper.[9]

Denis

Denis exploits a security vulnerability to load a fake DLL and execute its code.[19]

FinFisher

FinFisher uses DLL side-loading to load malicious programs.[6][7]

gh0st RAT

A gh0st RAT variant has used DLL side-loading.[5]

HTTPBrowser

HTTPBrowser has used DLL side-loading.[11]

HyperBro

HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.[20]

menuPass

menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.[12][25]

OwaAuth

OwaAuth has been loaded onto Exchange servers and disguised as an ISAPI filter (DLL file). The IIS w3wp.exe process then loads the malicious DLL.[11]

Patchwork

A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.[21]

PlugX

PlugX has used DLL side-loading to evade anti-virus.[10][11][2][12][13]

Sakula

Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.[8]

Soft Cell

Soft Cell used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.[30]

T9000

During the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.[16]

Threat Group-3390

Threat Group-3390 has used DLL side-loading, including by using legitimate Kaspersky antivirus variants in which the DLL acts as a stub loader that loads and executes the shell code.[11][22][23][20]

Tropic Trooper

Tropic Trooper has been known to side-load DLLs using a valid version of Windows Address Book executable with one of their tools.[29]

Wingbird

Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.[14][15]

ZeroT

ZeroT has used DLL side-loading to load malicious payloads.[17][18]

Mitigations

Mitigation Description
Audit

Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.

Restrict File and Directory Permissions

Install software in write-protected locations.

Update Software

Update software regularly to include patches that fix DLL side-loading vulnerabilities.

Detection

Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track DLL metadata, such as a hash, and compare DLLs that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.

References

  1. Microsoft. (n.d.). Manifests. Retrieved June 3, 2016.
  2. Stewart, A. (2014). DLL SIDE-LOADING: A Thorn in the Side of the Anti-Virus Industry. Retrieved November 12, 2014.
  3. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  4. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  5. Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018.
  6. FinFisher. (n.d.). Retrieved December 20, 2017.
  7. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  8. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  9. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  10. Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
  11. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  12. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  13. Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017.
  14. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
  15. Microsoft. (2017, November 9). Backdoor:Win32/Wingbird.A!dha. Retrieved November 27, 2017.
  16. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  1. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  2. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  3. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  4. Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  5. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  6. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  7. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  8. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
  9. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  10. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  11. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  12. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  13. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
  14. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  15. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.