Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.[1]
Specific ways DLLs are abused by adversaries include:
Adversaries may execute their own malicious payloads by side-loading DLLs. Side-loading involves hijacking which DLL a program loads by planting and then invoking a legitimate application that executes their payload(s).
Side-loading positions both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.
Adversaries may also side-load other packages, such as BPLs (Borland Package Library).[2]
Adversaries may execute their own malicious payloads by hijacking the search order that Windows uses to load DLLs. This search order is a sequence of special and standard search locations that a program checks when loading a DLL. An adversary can plant a trojan DLL in a directory that will be prioritized by the DLL search order over the location of a legitimate library. This will cause Windows to load the malicious DLL when it is called for by the victim program.[1]
Adversaries may directly modify the search order via DLL redirection, which after being enabled (in the Registry or via the creation of a redirection file) may cause a program to load a DLL from a different location.[3][4]
Adversaries may leverage phantom DLL hijacking by targeting references to non-existent DLL files. They may be able to load their own malicious DLL by planting it with the correct name in the location of the missing module.[5][6]
Adversaries may target existing, valid DLL files and substitute them with their own malicious DLLs, planting them with the same name and in the same location as the valid DLL file.[7]
Programs that fall victim to DLL hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace, evading defenses.
Remote DLL hijacking can occur when a program sets its current directory to a remote location, such as a Web share, before loading a DLL.[8][9]
If a valid DLL is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation.
ID | Name | Description |
---|---|---|
G0073 | APT19 |
APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.[10] |
G0022 | APT3 |
APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.[11][12] |
G0050 | APT32 |
APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).[13][14][15] |
G0096 | APT41 |
APT41 has used search order hijacking to execute malicious payloads, such as Winnti for Windows.[16] APT41 has also used legitimate executables to perform DLL side-loading of their malware.[17] |
C0040 | APT41 DUST |
APT41 DUST involved the use of DLL search order hijacking to execute DUSTTRAP.[18] APT41 DUST used also DLL side-loading to execute DUSTTRAP via an AhnLab uninstaller.[18] |
G0143 | Aquatic Panda |
Aquatic Panda has used DLL search-order hijacking to load |
S0373 | Astaroth |
Astaroth can launch itself via DLL Search Order Hijacking.[21] |
G0135 | BackdoorDiplomacy |
BackdoorDiplomacy has executed DLL search order hijacking.[22] |
S0128 | BADNEWS |
BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.[23][24] |
S0127 | BBSRAT |
DLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable, ssonsvr.exe. The Citrix executable was dropped along with BBSRAT by the dropper.[25] |
G0098 | BlackTech |
BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.[26] |
S0415 | BOOSTWRITE |
BOOSTWRITE has exploited the loading of the legitimate Dwrite.dll file by actually loading the gdi library, which then loads the gdiplus library and ultimately loads the local Dwrite dll.[27] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has used legitimate applications to side-load malicious DLLs.[28] |
S1063 | Brute Ratel C4 |
Brute Ratel C4 has used search order hijacking to load a malicious payload DLL as a dependency to a benign application packaged in the same ISO.[29] Brute Ratel C4 has loaded a malicious DLL by spoofing the name of the legitimate Version.DLL and placing it in the same folder as the digitally-signed Microsoft binary OneDriveUpdater.exe.[29] |
S0631 | Chaes |
Chaes has used search order hijacking to load a malicious DLL.[30] |
G0114 | Chimera |
Chimera has used side loading to place malicious DLLs in memory.[31] |
S1041 | Chinoxy |
Chinoxy can use a digitally signed binary ("Logitech Bluetooth Wizard Host Process") to load its dll into memory.[32] |
G1021 | Cinnamon Tempest |
Cinnamon Tempest has used search order hijacking to launch Cobalt Strike Beacons.[33][34] Cinnamon Tempest has also abused legitimate executables to side-load weaponized DLLs.[35] |
S0660 | Clambling |
Clambling can store a file named |
S0538 | Crutch |
Crutch can persist via DLL search order hijacking on Google Chrome, Mozilla Firefox, or Microsoft OneDrive.[38] |
G1034 | Daggerfly |
Daggerfly has used legitimate software to side-load PlugX loaders onto victim systems.[39] Daggerfly is also linked to multiple other instances of side-loading for initial loading activity.[40] |
S1111 | DarkGate |
DarkGate includes one infection vector that leverages a malicious "KeyScramblerE.DLL" library that will load during the execution of the legitimate KeyScrambler application.[41] |
S0354 | Denis |
Denis exploits a security vulnerability to load a fake DLL and execute its code.[13] |
S0134 | Downdelph |
Downdelph uses search order hijacking of the Windows executable sysprep.exe to escalate privileges.[42] |
S0384 | Dridex |
Dridex can abuse legitimate Windows executables to side-load malicious DLL files.[43] |
G1006 | Earth Lusca |
Earth Lusca has placed a malicious payload in |
S0624 | Ecipekac |
Ecipekac can abuse the legitimate application policytool.exe to load a malicious DLL.[45] |
S0554 | Egregor |
Egregor has used DLL side-loading to execute its payload.[46] |
S0363 | Empire |
Empire contains modules that can discover and exploit various DLL hijacking opportunities.[47] |
G0120 | Evilnum |
Evilnum has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, instead of the original Windows DLL located in a system folder.[48] |
G1016 | FIN13 |
FIN13 has used IISCrack.dll as a side-loading technique to load a malicious version of httpodbc.dll on old IIS Servers (CVE-2001-0507).[49] |
S0182 | FinFisher |
FinFisher uses DLL side-loading to load malicious programs.[50][51] A FinFisher variant also uses DLL search order hijacking.[50][52] |
S0661 | FoggyWeb |
FoggyWeb's loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate |
G0093 | GALLIUM |
GALLIUM used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.[54] |
S0032 | gh0st RAT | |
S0477 | Goopy |
Goopy has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google.[14] |
G0126 | Higaisa |
Higaisa’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the |
S0009 | Hikit |
Hikit has used DLL to load |
S0070 | HTTPBrowser |
HTTPBrowser abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe, to load a malicious DLL that mimics a legitimate Symantec DLL, navlu.dll.[58] HTTPBrowser has also used DLL side-loading.[59] |
S1097 | HUI Loader |
HUI Loader can be deployed to targeted systems via legitimate programs that are vulnerable to DLL search order hijacking.[34] |
S0398 | HyperBro |
HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.[60][61] |
S0260 | InvisiMole |
InvisiMole can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.[62] |
S0528 | Javali |
Javali can use DLL side-loading to load malicious DLLs into legitimate executables.[21] |
S0585 | Kerrdown |
Kerrdown can use DLL side-loading to load malicious DLLs.[63] |
G0032 | Lazarus Group |
Lazarus Group has replaced |
S1101 | LoFiSe |
LoFiSe has been executed as a file named DsNcDiag.dll through side-loading.[66] |
S0582 | LookBack |
LookBack side loads its communications module as a DLL into the |
G1014 | LuminousMoth |
LuminousMoth has used legitimate executables such as |
S1213 | Lumma Stealer |
Lumma Stealer has leveraged legitimate applications to then side-load malicious DLLs during execution.[70] |
S0530 | Melcoz |
Melcoz can use DLL hijacking to bypass security controls.[21] |
G0045 | menuPass |
menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.[71][72][73] menuPass has also used DLL search order hijacking.[74] |
S1059 | metaMain | |
S0455 | Metamorfo |
Metamorfo has side-loaded its malicious DLL file.[76][77][78] |
S0280 | MirageFox |
MirageFox is likely loaded via DLL hijacking into a legitimate McAfee binary.[79] |
G0069 | MuddyWater |
MuddyWater maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware.[80] |
G0129 | Mustang Panda |
Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.[81][82][83] |
G0019 | Naikon |
Naikon has used DLL side-loading to load malicious DLL's into legitimate executables.[84] |
S0630 | Nebulae | |
S1100 | Ninja |
Ninja loaders can be side-loaded with legitimate and signed executables including the VLC.exe media player.[66] |
C0012 | Operation CuckooBees |
During Operation CuckooBees, the threat actors used the legitimate Windows services |
S0664 | Pandora |
Pandora can use DLL side-loading to execute malicious payloads.[61] |
G0040 | Patchwork |
A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.[87] |
S1102 | Pcexter |
Pcexter has been distributed and executed as a DLL file named Vspmsg.dll via DLL side-loading.[66] |
S0013 | PlugX |
PlugX has the ability to use DLL search order hijacking for installation on targeted systems.[88] PlugX has also used DLL side-loading to evade anti-virus.[12][59][89][71][90][36][91] |
S0194 | PowerSploit |
PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes.[92][93] |
S1046 | PowGoop |
PowGoop can side-load |
S0113 | Prikormka |
Prikormka uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory.[95] |
S0650 | QakBot |
QakBot has the ability to use DLL side-loading for execution.[96] |
S0629 | RainyDay |
RainyDay can use side-loading to run malicious executables.[85] |
S0458 | Ramsay |
Ramsay can hijack outdated Windows application dependencies with malicious versions of its own DLL payload.[97] |
S1130 | Raspberry Robin |
Raspberry Robin can use legitimate, signed EXE files paired with malicious DLL files to load and run malicious payloads while bypassing defenses.[98] |
S0662 | RCSession |
RCSession can be installed via DLL side-loading.[99][36][91] |
C0047 | RedDelta Modified PlugX Infection Chain Operations |
Mustang Panda used DLL search order hijacking on vulnerable applications to install PlugX payloads during RedDelta Modified PlugX Infection Chain Operations.[100] |
S0153 | RedLeaves |
RedLeaves is launched through use of DLL search order hijacking to load a malicious dll.[101] |
G0048 | RTM |
RTM has used search order hijacking to force TeamViewer to load a malicious DLL.[102] |
S0074 | Sakula |
Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.[103] |
G1008 | SideCopy |
SideCopy has used a malicious loader DLL file to execute the |
G0121 | Sidewinder |
Sidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.[105] |
G1046 | Storm-1811 |
Storm-1811 has deployed a malicious DLL (7z.DLL) that is sideloaded by a modified, legitimate installer (7zG.exe) when that installer is executed with an additional command line parameter of |
S1183 | StrelaStealer |
StrelaStealer has sideloaded a DLL payload using a renamed, legitimate |
S0663 | SysUpdate |
SysUpdate can load DLLs through vulnerable legitimate executables.[61] |
S0098 | T9000 |
During the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.[108] |
G0027 | Threat Group-3390 |
Threat Group-3390 has performed DLL search order hijacking to execute their payload.[109] Threat Group-3390 has also used DLL side-loading, including by using legitimate Kaspersky antivirus variants as well as |
G0131 | Tonto Team |
Tonto Team abuses a legitimate and signed Microsoft executable to launch a malicious DLL.[113] |
G0081 | Tropic Trooper |
Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools.[114][115] |
G1047 | Velvet Ant |
Velvet Ant has used malicious DLLs executed via legitimate EXE files through DLL search order hijacking to launch follow-on payloads such as PlugX.[116] |
S0612 | WastedLocker |
WastedLocker has performed DLL hijacking before execution.[117] |
S0579 | Waterbear |
Waterbear has used DLL side loading to import and load a malicious DLL loader.[26] |
S0109 | WEBC2 |
Variants of WEBC2 achieve persistence by using DLL search order hijacking, usually by copying the DLL file to |
G0107 | Whitefly |
Whitefly has used search order hijacking to run the loader Vcrodat.[119] |
S0176 | Wingbird |
Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.[120][121] |
S0230 | ZeroT |
ZeroT has used DLL side-loading to load malicious payloads.[122][123] |
ID | Mitigation | Description |
---|---|---|
M1013 | Application Developer Guidance |
When possible, include hash values in manifest files to help prevent side-loading of malicious libraries. |
M1047 | Audit |
Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses.[124] Use the program |
M1038 | Execution Prevention |
Identify and block potentially malicious software executed through DLL hijacking by using application control solutions capable of blocking DLLs loaded by legitimate software.[126] |
M1044 | Restrict Library Loading |
Disallow loading of remote DLLs. This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+.[127] Enable Safe DLL Search Mode to move the user's current folder later in the search order. This is included by default in modern versions of Windows; the associated Windows Registry key is located at |
M1051 | Update Software |
Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0022 | File | File Creation |
Monitor newly constructed |
File Modification |
Monitor for changes made to |
||
DS0011 | Module | Module Load |
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process (particularly known malicious ones), or that have the same file name but abnormal paths (e.g., loaded from a user-writable directory rather than a system one). Monitor DLLs loaded from remote locations. |
DS0009 | Process | Process Creation |
Monitor newly constructed processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the introduction of new files/programs. |