Thursday, 04 May 2023 09:34

Double DLL Sideloading, it’s a Thing as Attackers Grow More Sophisticated

Written by

Reading time is around minutes.

DLL sideloading is a common technique for attackers to use when getting their malware in place and has been in use since around 2010. Simply put your malicious DLL in the same directory as the application and Windows in all its helpfulness loads it first instead of the legitimate one that might be in another directory. This method is also referred to as DLL search order hijacking. With the age of this technique and advances in EDR/MDR its usefulness has decreased.

With the depreciation of single DLL Sideloading, attackers, APT-Q-27 in particular, have come up with a new one; Double DLL Sideloading (Double Secret Probation?). This ne technique uses a first and second stage application that is clean. The initial application auto runs the second stage application as part of an auto update function. The second stage application runs a malicious DLL loader that pulls down encrypted instructions for the payload malware.

To accomplish this, the attack relies on someone running the targeted app via the short cut placed during the initial installation. One they do this, the expected app launches followed by a series of commands that end with the payload malware installed. The attack chain includes renamed versions of regsrv32.exe and scrobj.dll which are executed using a DAT file for input. This DAT file contains Java Script which is executed by the renamed scrobj.dll. Once the poisoned app has done its job the targeted system is left with a backdoor shell. The backdoor can run a few commands on the system and appears to target MetaMask Wallets.

Although much more complicated than the standard sideloading, this still has a high probability of being caught under many, if not most, modern EDR/MDRs. The download of the DLL is also not likely to get past next-gen Anti-Malware which is good news. Even with a clean (signed) first and second stage application it is the execution of the encrypted script that should get caught here if you have things set up correctly. SentinelOne, Cylance Protect (Combined with Optics), Sophos, and even MS Defender ATP all stand a good chance of catching and stopping this based on the attack logic flow provided by Sophos.

This could be why the attackers are targeting areas like China, Japan, Singapore, Hong Kong, and the Philippines. These areas have historically been a bit open to attacks of this type. Sophos also says that the bait is poisoned versions of popular applications like Telegram, LetsVPN, and WhatsApp for Windows, iOS, and android. The apps appear to be getting a boost from things like BlackSEO and other malvertising. This puts them higher in the search order making them more likely to be front and center when someone is looking for them.

Read 612 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.