Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Hacker Groups Adding New Double DLL Sideloading Technique to Evade Detection

The cybersecurity security researchers at Sophos recently detected the “Dragon Breath” APT group (aka Golden Eye Dog, APT-Q-27) using complex DLL sideloading variations to avoid detection.

The APT group deploys a new attack vector that utilizes clean applications like Telegram to malicious malware loader DLLs and sideloads second-stage payloads.

DLL Sideloading

APT actors use BlackSEO or malvertizing techniques to promote malicious versions of Telegram, LetsVPN, or WhatsApp apps that are localized for Chinese users as bait to infect victims on Android, iOS, or Windows platforms.

According to Sophos report, this campaign is primarily targeting Chinese-speaking Windows users in the following countries:-

  • China
  • Japan
  • Taiwan
  • Singapore
  • Hong Kong
  • The Philippines

Attackers have been exploiting DLL sideloading, which takes advantage of Windows’ insecure loading of Dynamic Link Library (DLL) files since 2010.

To perform DLL sideloading, the attacker puts a malicious DLL with the same name as a required, legitimate DLL in the application directory.

Upon launching the executable, the operating system prioritizes the malicious DLL located in the local directory over the legitimate one in the system folders. 

As a result, the malware can perform and execute its intended actions. At this stage, the attacker’s DLL contains malicious code to exploit the trusted and signed application, thereby gaining elevated privileges on the host system.

The campaign in question involves victims executing the installer of the specified apps, which results in installing various components on the system. 

Technical Analysis

Furthermore, the installer generates a shortcut on the desktop and establishes an entry for system startup.

In case the victim attempts to initiate the recently formed desktop shortcut, which is the typical first move, rather than executing the application, the system triggers the following command:-

  • “C:\Users\{redacted}\AppData\Roaming\Tg_B518c1A0Ff8C\appR.exe /s   /n   /u   /i:appR.dat   appR.dll”

Upon execution, the JavaScript code is designed to launch the Telegram app user interface in the foreground. Meanwhile, various sideloading components are installed in the background without the user’s knowledge.

Subsequently, the installer loads a second-stage application through ‘libexpat.dll,’ a new and clean dependency to launch a second immaculate application, functioning as an intermediary stage of the attack.

In a variation of the attack, the ‘Beijing Baidu Netcom Science and Technology Co.’, Ltd signs the clean second-stage loader, renamed “Application.exe” from “XLGame.exe.

Another attack variation involves an unsigned clean loader called “KingdomTwoCrowns.exe,” which seems to serve no purpose other than obfuscating the execution chain. Meanwhile, the third variation uses a digitally-signed clean loader named “d3dim9.exe,” which belongs to HP Inc.

Using the “double DLL sideloading” technique, APT groups can evade detection, achieve persistence, and obfuscate their attacks, making it challenging for defenders to adapt to their attack patterns and secure their networks effectively.

Regardless of the attack variation, the final payload DLL is always decrypted and executed on the system from a txt file called ‘templateX.txt.’

Apart from this, in recent times, DLL sideloading has become one of the most sought malicious techniques hackers utilize.

Copyright 2021 Associated Press. All rights reserved.

Advertisement. Scroll to continue reading.

Source: https://cybersecuritynews.com/double-dll-sideloading-technique-to-evade-detection/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

In recent findings from Check Point Research, a significant phishing attack targeting more than 40 prominent Colombian companies has been uncovered.  The attackers behind this campaign...

Cyber Security

According to recent reports, a threat actor has compromised the confidential information of 3,200 Airbus vendors. The exposed data includes sensitive details such as...

Cyber Security

A group of Researchers unearthed critical code Proton Mail vulnerabilities that could have jeopardized the security of Proton Mail, a renowned privacy-focused webmail service. ...

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO