DLL Side-Loading

From enterprise
Jump to: navigation, search
DLL Side-Loading
Technique
ID T1073
Tactic Defense Evasion
Platform Windows
Data Sources Process use of network, Process monitoring, Loaded DLLs
Defense Bypassed Anti-virus, Process whitelisting

Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests1 are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL.2

Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.

Examples

  • APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools. 3
  • Threat Group-3390 actors have used DLL side-loading. Actors have used legitimate Kaspersky anti-virus variants in which the DLL acts as a stub loader that loads and executes the shell code.45
  • menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6.6
  • BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.78
  • DLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable ssonsvr.exe which is vulnerable to the technique. The Citrix executable was dropped along with BBSRAT by the dropper.9
  • HTTPBrowser has used DLL side-loading.4
  • OwaAuth has been loaded onto Exchange servers and disguised as an ISAPI filter (DLL file). The IIS w3wp.exe process then loads the malicious DLL.4
  • PlugX has used to use DLL side-loading to evade anti-virus and to maintain persistence on a victim.234610
  • Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.11
  • During the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.12
  • Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.1314
  • ZeroT has used DLL side-loading to load malicious payloads.1516
  • A gh0st variant has used DLL side-loading.17

Mitigation

Update software regularly. Install software in write-protected locations. Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.

Detection

Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track DLL metadata, such as a hash, and compare DLLs that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.

References