Dynamic Linker Hijacking

Information

• Name: Dynamic Linker Hijacking

• ID: T1574.006

• Tactics: TA0003, TA0004, TA0005

• Technique: T1574

Introduction

Dynamic Linker Hijacking (T1574.006) is a sub-technique under the MITRE ATT&CK framework, categorized within the Hijack Execution Flow technique (T1574). This sub-technique involves attackers manipulating the dynamic linker or loader of an operating system to execute malicious code. Attackers typically exploit the dynamic linking mechanism, which is responsible for resolving and loading shared libraries at runtime, to redirect legitimate library calls toward attacker-controlled malicious libraries. By hijacking the dynamic linker, adversaries can stealthily execute malicious payloads, escalate privileges, maintain persistence, or evade detection by security controls.

Deep Dive Into Technique

Dynamic Linker Hijacking leverages the runtime linking process of operating systems, primarily Unix-like systems such as Linux and macOS. Key technical details include:

• Dynamic Linker Overview:

  • The dynamic linker, such as ld.so or ld-linux.so on Linux systems, handles the loading and linking of shared libraries (.so files) at runtime.

  • It resolves dependencies specified in binary executables and loads the necessary libraries into memory.

• Hijacking Mechanisms:

  • LD_PRELOAD Environment Variable:

    • Attackers modify the LD_PRELOAD environment variable to inject malicious shared libraries before legitimate ones.

    • Malicious libraries can intercept and override standard library functions, enabling attackers to execute arbitrary code and manipulate program execution.

  • LD_LIBRARY_PATH Environment Variable:

    • Attackers alter the LD_LIBRARY_PATH environment variable to specify attacker-controlled directories containing malicious libraries.

    • The dynamic linker searches these directories first, allowing attackers to load malicious libraries instead of trusted ones.

  • Binary Modification:

    • Attackers directly modify binaries or configuration files to change dynamic library paths, forcing the linker to load malicious libraries.

  • rpath and runpath Manipulation:

    • Attackers manipulate ELF binary metadata (rpath or runpath) to prioritize attacker-controlled directories for library loading.

• Execution Methods:

  • Malicious shared libraries often include functions with the same names as legitimate libraries, allowing seamless interception and redirection of execution flow.

  • Attackers can inject payloads such as backdoors, keyloggers, credential stealers, or privilege escalation exploits.

• Real-world Procedures:

  • Attackers may exploit misconfigured systems or insecure environment variable settings to perform linker hijacking.

  • They might leverage compromised user accounts, scripts, or cron jobs to set malicious environment variables persistently.

  • This technique is frequently used in conjunction with other tactics, such as privilege escalation, persistence, and defense evasion.

When this Technique is Usually Used

Dynamic Linker Hijacking is typically employed during various stages of an attack lifecycle, including:

• Initial Execution:

  • Attackers may hijack dynamic linkers to execute initial payloads covertly on compromised hosts.

• Privilege Escalation:

  • Attackers exploit linker hijacking to escalate privileges by intercepting privileged processes or services that load shared libraries.

• Persistence:

  • Attackers use linker hijacking to maintain persistence by ensuring malicious libraries load every time a targeted binary executes.

• Defense Evasion:

  • Attackers leverage linker hijacking to bypass security mechanisms, evade antivirus software, and conceal malicious activity by embedding malicious code within trusted processes.

• Lateral Movement:

  • Attackers may propagate malicious libraries across multiple hosts to facilitate lateral movement and expand their foothold within a network.

How this Technique is Usually Detected

Detection methods and indicators of compromise (IoCs) for Dynamic Linker Hijacking include:

• Monitoring Environment Variables:

  • Detect unusual or unexpected modifications to the LD_PRELOAD or LD_LIBRARY_PATH environment variables.

  • Tools like auditd, sysmon for Linux, or endpoint detection and response (EDR) solutions can monitor and alert on suspicious environment variable changes.

• File Integrity Monitoring (FIM):

  • Detect unauthorized or suspicious changes to system binaries, shared libraries, and dynamic linker configuration files (/etc/ld.so.preload, /etc/ld.so.conf, etc.).

  • Tools such as AIDE, Tripwire, or OSSEC can identify unauthorized file modifications.

• Process Monitoring and Auditing:

  • Monitor processes and their loaded shared libraries using tools like lsof, ldd, or strace to identify unexpected or unauthorized libraries.

  • Audit logs from auditd can detect suspicious dynamic library loading events.

• Binary Analysis and Inspection:

  • Regularly inspect ELF binaries (readelf, objdump) for suspicious rpath or runpath entries pointing to unusual directories.

  • Automated scanning tools and scripts can identify binaries with suspicious dynamic linking configurations.

• Indicators of Compromise (IoCs):

  • Presence of suspicious or unknown shared libraries (.so files) in unexpected directories or system paths.

  • Unusual system behavior, such as unexpected privilege escalations, unauthorized access, or suspicious process execution patterns.

  • Log entries indicating attempts to modify linker-related environment variables or configuration files.

Why it is Important to Detect This Technique

Detecting Dynamic Linker Hijacking is crucial due to its significant potential impacts on systems and networks:

• Privilege Escalation:

  • Attackers can escalate privileges by hijacking libraries loaded by privileged processes, potentially gaining root or administrative access.

• Persistence:

  • Linker hijacking enables attackers to maintain persistent access, making eradication difficult without thorough detection and remediation.

• Defense Evasion:

  • Malicious libraries loaded via linker hijacking often evade traditional antivirus and endpoint detection solutions, allowing attackers to operate undetected.

• Data Theft and Espionage:

  • Attackers can intercept sensitive data, credentials, or communications by injecting malicious libraries into legitimate processes.

• System Stability and Integrity:

  • Malicious libraries may cause system instability, crashes, or performance degradation, impacting critical business operations.

• Early Detection Importance:

  • Early detection allows rapid containment and remediation, minimizing damage and preventing attackers from achieving their objectives.

  • Proactive detection helps maintain regulatory compliance, protect sensitive information, and preserve organizational reputation.

Examples

Real-world examples illustrating Dynamic Linker Hijacking include:

• Linux LD_PRELOAD Attacks:

  • Attackers use the LD_PRELOAD environment variable to inject malicious libraries that intercept system calls, such as authentication functions (pam_authenticate), enabling credential theft or unauthorized access.

  • Example: Attackers deploy a malicious shared library to intercept SSH login credentials on Linux servers by modifying the LD_PRELOAD variable.

• Operation Windigo (Ebury Malware):

  • Attackers used linker hijacking techniques to install malicious libraries (libkeyutils.so) on compromised Linux servers.

  • Malicious libraries intercepted SSH authentication mechanisms, stealing credentials and enabling persistent unauthorized access.

• macOS DYLD_INSERT_LIBRARIES Abuse:

  • Attackers exploit the DYLD_INSERT_LIBRARIES environment variable on macOS to inject malicious dynamic libraries into legitimate applications.

  • This technique has been observed in malware campaigns targeting macOS users, enabling attackers to intercept sensitive data and maintain persistence.

• NotPetya Malware:

  • NotPetya ransomware leveraged dynamic linking manipulation and hijacking techniques to execute malicious payloads and spread laterally within networks.

  • Malicious libraries replaced legitimate DLLs, enabling rapid propagation, credential theft, and widespread damage.

• Pupy RAT (Remote Access Trojan):

  • The open-source Pupy RAT framework leverages linker hijacking via LD_PRELOAD to inject payloads into legitimate Linux processes, enabling stealthy remote access and command execution.

In these scenarios, attackers effectively leveraged Dynamic Linker Hijacking to achieve stealth, persistence, privilege escalation, and lateral movement, underscoring the importance of robust detection and defensive measures.