[MART] - Daily Diary #476 - Malware Techniques - DLL Side Loading

CTAS-MAT ctas-mat at appgate.com
Wed Mar 23 22:29:49 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

03/23/2022 - Diary entry #476:

Following the thread started in our Daily Diary #420, today we will cover a well-known technique used by malware in the wild: DLL Side-Loading.

According to MITRE ATT&CK Framework, DLL Side-Loading is one of the various sub techniques of a technique called Hijack Execution Flow. Threat actors use these techniques to execute their malicious payloads by hijacking the way operating systems run programs. Their purpose is to elevate privileges or evade defenses.

Usually, a software needs DLLs and other files to execute correctly. So, a Side-Loading attack takes advantage of the operating system's DLL search order, loading the required DLL from the same directory as the executable. By knowing this, adversaries may write their malicious payload inside a DLL commonly used by a legitimate software that blindly trusts in the operating system capability to load the required modules.

To accomplish this, the tampered DLL must have the same exported functions (called by the legitimate application) as the original DLL. Then, when the software is executed, the malware would be loaded automatically.

This technique was found in the wild being used by many different threat actors to evade security solutions and disguise as a legitimate process. Our team observed this technique mostly being used by Banker Remote Access Trojans (RATs).

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220323/330da316/attachment.htm>

More information about the MART mailing list