Dylib Hijacking

Information

• Name: Dylib Hijacking

• ID: T1574.004

• Tactics: TA0003, TA0004, TA0005

• Technique: T1574

Introduction

Dylib Hijacking (T1574.004) is a sub-technique within the MITRE ATT&CK framework categorized under "Hijack Execution Flow." Attackers exploit the dynamic loading behavior of applications on macOS and Linux-based systems by placing malicious dynamic libraries (dylibs) in strategic locations. When legitimate applications execute, they unintentionally load these malicious dylibs, allowing adversaries to execute arbitrary code, escalate privileges, or maintain persistence covertly.

Deep Dive Into Technique

Dylib Hijacking leverages the mechanism by which applications dynamically load shared libraries at runtime. Attackers exploit this behavior by placing malicious dynamic libraries (dylibs) in directories where applications search for dependencies. Key technical aspects include:

• Dynamic Library Loading Behavior: Applications using dynamic libraries typically search predefined locations (such as the current working directory, application directories, or system library paths) to load required dylibs at execution time.

• Exploitation of Search Order: Attackers exploit the search order precedence by placing malicious dylibs in directories searched before legitimate library paths, causing the application to load the malicious library first.

• Persistence and Privilege Escalation: Once loaded, malicious dylibs execute attacker-controlled code in the context of the targeted application. This can lead to persistence, privilege escalation, or lateral movement depending on the application's permissions and execution context.

• Common Mechanisms Used:

  • Placing malicious dylibs in the application's working directory.

  • Manipulating environment variables (e.g., DYLD_LIBRARY_PATH) to influence dylib loading paths.

  • Exploiting weak file permissions or misconfigurations to replace or overwrite legitimate dylibs.

• Real-world Procedures:

  • Attackers may drop malicious dylibs into directories writable by standard users, knowing an application with elevated privileges will load libraries from that location.

  • Malicious dylibs often mimic legitimate filenames to evade suspicion and detection.

When this Technique is Usually Used

Dylib Hijacking can be employed at various stages of the cyber kill chain and in multiple attack scenarios:

• Initial Access and Execution: Attackers may exploit vulnerable software installations or compromised downloads to place malicious dylibs, enabling initial code execution.

• Privilege Escalation: Malicious dylibs loaded by applications running with elevated privileges (e.g., administrative or root-level processes) can allow attackers to escalate privileges on the compromised system.

• Persistence: Attackers frequently use dylib hijacking to establish persistent footholds, ensuring malicious code executes whenever the legitimate application runs.

• Defense Evasion: Attackers leverage dylib hijacking to execute malicious code under legitimate application processes, making detection more challenging.

How this Technique is Usually Detected

Detection of dylib hijacking involves various methods, tools, and specific Indicators of Compromise (IoCs):

• File Integrity Monitoring (FIM):

  • Monitoring changes or unexpected additions of dylib files in critical directories.

  • Tools such as OSSEC, Tripwire, or built-in macOS audit functions can detect unauthorized dylib modifications.

• Behavioral Analysis and Endpoint Detection and Response (EDR):

  • Monitoring unusual dylib loading behaviors, such as dylibs loaded from non-standard paths or directories.

  • Security tools like CrowdStrike Falcon, Carbon Black, or SentinelOne can detect anomalous dylib loading activities.

• Process Monitoring and Logging:

  • Analyzing process execution logs to identify unexpected dylib loads or abnormal process behaviors.

  • macOS built-in tools (dtrace, fswatch, lsof, or auditd) can help identify suspicious dylib loading activities.

• Environment Variable Monitoring:

  • Monitoring changes to environment variables (DYLD_LIBRARY_PATH) that influence dylib loading paths.

• Specific Indicators of Compromise (IoCs):

  • Unexpected dylib files appearing in application directories or user-writable locations.

  • Dylib files with suspicious naming conventions or timestamps inconsistent with legitimate application files.

  • Logs indicating dylib loading from unusual directories or locations.

Why it is Important to Detect This Technique

Early detection of dylib hijacking is critical due to the potentially severe impacts on systems and networks:

• Privilege Escalation Risks: Attackers can escalate privileges by loading malicious dylibs into privileged processes, gaining administrative or root-level access.

• Persistence and Stealthy Operations: Dylib hijacking allows attackers to maintain persistence covertly, executing malicious code under legitimate application contexts, making detection and remediation challenging.

• Data Exfiltration and Espionage: Malicious dylibs can intercept or manipulate sensitive data handled by legitimate applications, facilitating data theft or espionage operations.

• System Stability and Integrity Risks: Malicious dylibs can introduce instability, crashes, or unintended behaviors in critical applications, impacting system reliability and availability.

• Lateral Movement and Further Compromise: Attackers may leverage compromised systems as footholds to move laterally within networks, compromising additional resources and infrastructure.

Examples

Real-world examples demonstrating dylib hijacking include:

• XcodeGhost (2015):

  • Attackers compromised Apple's Xcode development environment, embedding malicious dylibs into iOS applications compiled with the infected Xcode version.

  • Impacted millions of users by distributing infected applications through the official App Store.

  • Allowed attackers to steal sensitive user information, remotely control devices, and execute arbitrary code.

• OceanLotus/APT32 macOS Malware (2017-2019):

  • Vietnamese threat actor OceanLotus used dylib hijacking to deliver backdoors and maintain persistence on macOS systems.

  • Malicious dylibs placed in application directories loaded automatically upon application execution.

  • Enabled espionage activities, including keylogging, screen capturing, and data exfiltration.

• WindTail Malware (2018):

  • Targeted macOS users primarily in the Middle East region.

  • Utilized dylib hijacking by placing malicious dylibs in directories searched by legitimate applications, leading to stealthy persistence and data theft.

• Shlayer Malware (2019-2020):

  • Leveraged dylib hijacking by placing malicious dylibs in user-writable directories to execute adware and spyware payloads.

  • Widely distributed through malicious advertisements and fake software updates, impacting thousands of macOS users.

These examples highlight the effectiveness and prevalence of dylib hijacking as a stealthy and impactful technique used by threat actors across various campaigns.