DLL Hijacking abuses legitimate applications by loading malicious DLLs to run unauthorized code. The article surveys a decade of use, notes attacker goals (evasion, persistence, privilege escalation), highlights notable actors, and discusses developer mitigations like digital signatures and controlled loading, plus a proof-of-concept tool. #LazarusGroup #TropicTrooper #Dridex #QBot #APT41
Keypoints
- Definition: DLL Hijacking involves manipulating a benign executable’s dynamic library dependencies to run malicious code.
- Purpose: The main use cases for DLL Hijacking include evasion, persistence, and privilege escalation.
- Common Techniques: Attackers often bundle a benign application with a malicious DLL in the same directory.
- Notable Actors: State-sponsored groups like Lazarus Group and Tropic Trooper frequently utilize DLL Hijacking.
- Developer Mitigations: Tools and techniques exist for developers to prevent DLL Hijacking, including digital signatures and controlled loading of libraries.
- Trends: Attackers often target well-known applications to exploit trust and evade detection.
- Research Findings: The internal structure of malicious DLLs often shows patterns like multiple exports pointing to the same malicious function.
MITRE Techniques
- [T1218.011] DLL Search Order Hijacking – Brief description of how it was used. ‘Attackers place a malicious DLL in the same directory as a benign executable, exploiting the search order to load the malicious DLL instead.’
- [T1218.010] DLL Sideloading – Brief description of how it was used. ‘Malicious DLLs are loaded from the Side-by-Side (SxS) assembly, which is not properly validated by the executable.’
Indicators of Compromise
- [File Name] context – nvSmartEx.exe, form.exe, and 2 more items
- [DLL Name] context – dbgeng.dll, jli.dll, and 2 more items
- [File Name] context – java-rmi.exe, LBTWizGi.exe, and 2 more items
- [File Path] context – C:WindowsSystem32ws2_32.dll, and 2 more paths