Threat Research

Lazarus Group Uses the DLL Side-Loading Technique (mi.dll) – ASEC BLOG

Securonix

Researchers tracked the Lazarus group using DLL Side-Loading (T1574.002) to run a malicious DLL via legitimate Windows processes. The attackers staged a backdoor (mi.dll) loaded from the same folder as the host process (wsmprovhost.exe) and used open-source BugTrap code in their distribution, with Initech referenced in the initial compromise. #LazarusGroup #DLLSideLoading #T1574.002 #wsmprovhost.exe #dfrgui.exe #mi.dll #BugTrap #Initech #AhnLab #ASD

Keypoints

  • Lazarus group employed DLL Side-Loading (T1574.002) to cause a malicious DLL to be loaded by legitimate applications.
  • Legitimate MS processes abused include wsmprovhost.exe (Host process for WinRM plug-ins) and dfrgui.exe (Microsoft Drive Optimizer).
  • The backdoor mi.dll is placed in the same folder as the host executable and loaded by wsmprovhost.exe, indicating DLL side-loading in memory.
  • mi.dll’s code is encrypted (AES-128) and decrypted at runtime using a key passed as an argument to load additional malware.
  • Open-source BugTrap project code is used to disguise or distribute the mi.dll payload; the attack targets memory and processes to evade detection.
  • IOC indicators include SCSKAppLink.dll and mi.dll with specific MD5 hashes, and dfgui.exe and wsmprovhost.exe as legitimate files.

MITRE Techniques

  • [T1574.002] DLL Side-Loading – The attackers save a legitimate application and a malicious DLL in the same folder path to enable the malicious DLL’s execution. β€˜The DLL Side-Loading attack technique saves a legitimate application and a malicious DLL in the same folder path to enable the malicious DLL to also be executed when the application is run. In other words, it is a malware execution technique that allows the malicious DLL to be executed first by changing its name to the filename of the normal DLL located in a different path that the legitimate program refers to.’
  • [T1055] Process Injection – The malware loaded mi.dll into the memory space of a legitimate process. β€˜mi.dll is loaded in the corresponding process memory.’
  • [T1027] Obfuscated/Compressed Files and Information – The payload is encrypted and decrypted at runtime. β€˜the malicious mi.dll … includes an additional binary encrypted internally with the AES-128 algorithm, and the moment it is executed, it uses the decryption key transmitted via an argument to decrypt the binary before running an additional malware in the memory.’

Indicators of Compromise

  • [Filename] wsmprovhost.exe – Normal MS file – used as part of the DLL side-loading technique
  • [Filename] dfgui.exe – Normal MS file – used alongside malicious DLL
  • [MD5] 0cc73994988e8dce2a2eeab7bd410fad – SCSKAppLink.dll
  • [MD5] 54b0454163b25a38368e518e1687de5b – mi.dll
  • [Filename] SCSKAppLink.dll – Trojan/Win.Lazardoor.C5266363
  • [Filename] mi.dll – Trojan/Win.LazarLoader.C5226517
  • [Filename] dfgui.exe and wsmprovhost.exe – Normal MS files referenced in the IOC

Read more: https://asec.ahnlab.com/en/39828/