DLL Side-Loading

Information

• Name: DLL Side-Loading

• ID: T1574.002

• Tactics: TA0003, TA0004, TA0005

• Technique: T1574

Introduction

DLL Side-Loading (T1574.002) is a sub-technique within the MITRE ATT&CK framework categorized under Hijack Execution Flow (T1574). This technique involves attackers exploiting legitimate applications that attempt to load dynamic-link libraries (DLLs) without specifying absolute paths. Attackers place malicious DLLs in directories where applications search for DLLs, causing the legitimate application to unknowingly execute malicious code. DLL Side-Loading is commonly leveraged to evade detection, achieve persistence, and execute code under the guise of legitimate processes.

Deep Dive Into Technique

DLL Side-Loading exploits the way Windows and other operating systems handle DLL loading. When applications load DLLs without specifying absolute paths, they rely on a predefined search order to locate the required DLL. Attackers abuse this behavior by placing malicious DLLs in directories searched before the legitimate DLL location, causing the application to load and execute the malicious payload.

Technical details and execution mechanisms include:

• DLL Search Order Hijacking: Windows applications follow a specific DLL search order:

  1. Directory from which the application loaded

  2. System directory (e.g., C:\Windows\System32)

  3. Windows directory (e.g., C:\Windows)

  4. Current working directory

  5. Directories listed in the PATH environment variable

  Attackers exploit this search order by placing malicious DLLs in directories higher in the priority list.

• DLL Naming and Signature: Attackers name malicious DLLs identically to legitimate DLLs that the application expects. They may sometimes use signed but vulnerable or outdated DLLs to bypass certain security checks.

• Binary Planting: Attackers often bundle malicious DLLs alongside legitimate executables in archives or installers, tricking users or automated processes into running them.

• Persistence and Privilege Escalation: DLL Side-Loading can be used to achieve persistence on compromised systems, as the legitimate application continues to load the malicious DLL on each execution. Attackers may also exploit applications running with elevated privileges to escalate privileges.

• Evasion Techniques: Attackers frequently leverage DLL Side-Loading to evade detection by security software and analysts, since legitimate, trusted executables are used to load malicious code.

When this Technique is Usually Used

DLL Side-Loading can occur in various stages and scenarios of an attack lifecycle, including:

• Initial Access and Execution:

  • Phishing campaigns with malicious archives or installers containing legitimate executables alongside malicious DLLs.

  • Downloading and executing seemingly legitimate software from compromised websites.

• Persistence:

  • Maintaining access by ensuring that legitimate system or third-party applications consistently load malicious DLLs on startup or regular intervals.

• Privilege Escalation:

  • Targeting applications or services running with elevated privileges to execute malicious DLLs in high-privilege contexts.

• Defense Evasion:

  • Leveraging trusted executables to bypass application whitelisting, antivirus, and endpoint detection tools.

• Lateral Movement:

  • Deploying malicious DLLs onto remote machines and triggering execution through legitimate applications to move laterally within the network.

How this Technique is Usually Detected

Detection methods, tools, and indicators of compromise (IoCs) for DLL Side-Loading include:

• Monitoring DLL Loading Events:

  • Use tools such as Sysmon, Process Monitor, or EDR solutions to track DLL loading events and detect unexpected DLLs loaded by legitimate processes.

• Analyzing DLL Search Order Behavior:

  • Identify processes loading DLLs from unusual or user-writable directories.

  • Detect DLLs loaded from temporary folders, user directories, or application directories where DLLs typically do not reside.

• Process and File Integrity Monitoring:

  • Implement file integrity monitoring to detect unauthorized changes or additions of DLL files.

  • Regularly audit directories frequently targeted by attackers, such as application installation folders, application data directories, and temporary directories.

• Signature and Reputation Checks:

  • Verify digital signatures of DLL files loaded by trusted processes.

  • Utilize threat intelligence feeds and reputation databases to identify known malicious DLL hashes.

• Behavioral Analysis and Endpoint Detection Tools:

  • Deploy endpoint detection and response (EDR) solutions to detect anomalous process behaviors, DLL injections, or suspicious file placements.

Indicators of Compromise (IoCs):

• Unusual DLL filenames matching legitimate DLL names but located in unexpected directories.

• DLL files appearing in user-writable directories or alongside legitimate executables in temporary or download folders.

• Unusual process executions or DLL loads observed in event logs or monitoring tools.

• Known malicious DLL file hashes or signatures identified through threat intelligence.

Why it is Important to Detect This Technique

Detecting DLL Side-Loading is crucial due to its significant potential impacts on systems and networks:

• Stealthy Execution and Defense Evasion:

  • Attackers leverage trusted executables to execute malicious code, making detection challenging and enabling prolonged persistence.

• Privilege Escalation:

  • Malicious DLLs loaded by privileged processes can grant attackers elevated permissions, allowing deeper system compromise and control.

• Persistence and Long-Term Compromise:

  • DLL Side-Loading allows attackers to maintain persistence, ensuring continued access even after initial infection vectors are remediated.

• Data Exfiltration and Espionage:

  • Attackers can use DLL Side-Loading to silently execute data-stealing payloads, leading to sensitive data loss and espionage activities.

• Lateral Movement and Network-wide Impact:

  • Attackers can exploit DLL Side-Loading to move across networked systems, increasing the scope and severity of the compromise.

Early detection and mitigation of DLL Side-Loading reduce the risk of prolonged compromise, limit attacker capabilities, and protect critical systems and sensitive data.

Examples

Real-world examples demonstrating DLL Side-Loading attacks include:

• APT41 (Winnti Group):

  • Frequently leveraged DLL Side-Loading to execute malicious payloads using legitimate signed executables from software vendors.

  • Attackers placed malicious DLLs alongside trusted executables, such as gaming or software update utilities, to evade detection and maintain persistence.

• PlugX Malware:

  • PlugX, a remote access trojan (RAT), commonly employs DLL Side-Loading by bundling legitimate signed executables with malicious DLLs.

  • Attackers distribute PlugX via phishing emails or compromised websites, tricking users into executing malicious archives or installers.

• Operation ShadowHammer (ASUS Supply Chain Attack):

  • Attackers compromised ASUS software update utility, embedding malicious DLLs to execute backdoor payloads on targeted systems.

  • The attack resulted in widespread compromise, leveraging DLL Side-Loading to execute malicious code silently.

• OceanLotus (APT32):

  • Utilized DLL Side-Loading extensively in targeted attacks against organizations in Southeast Asia.

  • Malicious DLLs were loaded by legitimate applications like Microsoft Office or Adobe Reader, enabling stealthy execution and persistence.

• SideWinder APT:

  • Targeted government and military entities using DLL Side-Loading techniques.

  • Malicious DLLs executed through legitimate executables allowed attackers to evade detection and maintain long-term access.

These examples highlight the effectiveness and prevalence of DLL Side-Loading in real-world attacks, underscoring the importance of robust detection and mitigation strategies.