Threat actors increasingly rely on unsigned DLL loading to execute payloads, enabling stealthy operations by abusing signed processes. The investigation highlights Stately Taurus (PKPLUG/Mustang Panda) and Selective Pisces (Lazarus Group) and shows how unsigned DLL loading can reveal attacks such as PlugX side-loading and Raspberry Robin campaigns. #StatelyTaurus #PKPLUG #MustangPanda #SelectivePisces #LazarusGroup #RaspberryRobin #PlugX #DreamSecurity #MagicLine4NX
Keypoints
- Unsigned DLL loading is a common method used by both individual attackers and APT groups to execute payloads, often via unprivileged paths and loaded by signed processes.
- The two main techniques observed are DLL loading by rundll32.exe/regsvr32.exe and DLL order hijacking, each aimed at evading detection while achieving code execution.
- Raspberry Robin was the most frequently observed unsigned DLL loading campaign in the wild over the past six months, followed by other families like Emotet, QakBot, and IcedID.
- Stately Taurus demonstrated DLL side-loading using third-party software (e.g., AvastSvc.exe with wsc.dll and AvastAuth.dat) to load a malicious PlugX payload.
- Selective Pisces (Lazarus Group) used DreamSecurity MagicLine4NX to drop and load modules (mi.dll) and to perform DLL side-loading and persistence via ualapi.dll.
- The article provides hunting queries (XQL) to detect unsigned DLL loads and offers practical guidance on focusing on non-standard directories, high entropy, and scrambled file names to prioritize investigations.
- Defense guidance notes Cortex XDR can alert on and block malicious DLLs loaded via hijacking techniques and supports prevention of post-exploitation activities.
MITRE Techniques
- [T1218] Signed Binary Proxy Execution β Rundll32/Regsvr32 abuse to load an unsigned DLL via a signed process. Quote: ββ¦DLL loading by rundll32.exe/regsvr32.exe β While those processes are signed and known binaries, threat actors abuse them to achieve code execution in an attempt to evade detection.β]
- [T1574.001] DLL Search Order Hijacking β Attacker exploits the search order of legitimate processes to load a malicious DLL. Quote: ββ¦DLL order hijacking β This refers to loading a malicious DLL by abusing the search order of a legitimate process.β
- [T1574.002] DLL Side-loading β A malicious DLL is loaded by a legitimate process (e.g., AvastSvc.exe) to execute payloads. Quote: ββ¦The group dropped the payload into the ProgramData folder, which contained three files β a benign EXE file for DLL hijacking (AvastSvc.exe), a DLL file (wsc.dll) and an encrypted payload (AvastAuth.dat).β and ββ¦The loaded DLL appeared to be the PlugX RAT, which loads the encrypted payload from the .dat file.β
- [T1053.005] Scheduled Task β Persistence via a scheduled task during attack steps (e.g., Raspberry Robin creating a task to load DLL at startup). Quote: βOver installation, a scheduled task is created in order to achieve persistence, loading the DLL using rundll32.exe/regsvr32.exe on system start up.β
Indicators of Compromise
- [SHA256] 779a6772d4d35e1b0018a03b75cc6f992d79511321def35956f485debedf1493 β Selective Pisces sample associated with unsigned DLL loading.
- [SHA256] 352fb4985fdd150d251ff9e20ca14023eab4f2888e481cbd8370c4ed40cfbb9a β Stately Taurus sample linked to DLL side-loading campaigns.
- [File Name] AvastSvc.exe, wsc.dll β Used in DLL side-loading chains (e.g., PlugX) within ProgramData directories.
- [File Name] AvastAuth.dat β Encrypted payload file accompanying wsc.dll in the AvastSvc side-loading setup.
- [Process] rundll32.exe, regsvr32.exe β Executables used to load unsigned DLLs in observed campaigns.
- [Threat Actor] Stately Taurus, Selective Pisces β Groups discussed as targets or operators in unsigned DLL loading campaigns; associated hashes and files link to those actors.
Read more: https://unit42.paloaltonetworks.com/unsigned-dlls/