Hackers are Using DLL “Sideloading” to Avoid Detection
May 4th, 2023 |
Recently, an Advanced Persistent Threat (APT) group known as “Dragon Breath,” “Golden Eye Dog,” or “APT-Q-27” has been using complex variations of the classic Dynamic Link Library (DLL) sideloading technique to target Chinese-speaking Windows users in China, Japan, Taiwan, Singapore, Hong Kong, and the Philippines.
This new trend in cyber threats is significant because it achieves evasion, obfuscation, and persistence, making it difficult for defenders to identify and stop the attack.
The APT-Q-27 group is targeting Chinese-speaking Windows users with trojanized apps for Android, iOS, or Windows that have been localized for people in China. The attackers use several complex variations of the classic DLL sideloading technique to evade detection.
DLL is a file format used in Microsoft Windows operating systems to store executable code and data that can be shared across multiple applications. DLL files contain reusable code and resources that can be loaded into memory when an application needs it. This allows applications to share common functions and reduce the amount of memory and disk space required to run multiple programs.
DLL sideloading is a technique where the attacker places a malicious DLL with the same name as the legitimate, required DLL in an application’s directory. When the user launches the executable, Windows prioritizes the local malicious DLL over the one in the system folders, giving the attacker privileges or running commands on the host by exploiting the trusted, signed application that is loading it.
The final payload is a backdoor that supports several commands, such as system reboot, registry key modification, fetching files, stealing clipboard content, executing commands on a hidden CMD window, and more. The backdoor also targets the MetaMask cryptocurrency wallet Chrome extension, aiming to steal digital assets from victims.
Acreto Solution
Acreto’s solution can help prevent or mitigate this threat by:
Isolating the trojanized apps and limiting access to authorized Ecosystem members. With micro-segmentation and nano-segmentation, Acreto can limit access to only systems that need to interoperate together, making it harder for attackers to move laterally and achieve persistence on the network.
By using an Acreto Ecosystem, you can divide groups of systems on any shared network, including hostile networks or the entire network, into smaller segments that can be managed and protected independently.
Meanwhile, nano-segmentation provides even more granular security by isolating individual systems, devices, or applications, thereby limiting access only to other authorized members of the ecosystem.
By implementing these segmentation solutions, organizations can greatly reduce their attack surface, enhance their visibility and control, and ensure that their critical assets and data are well-protected.
Ecosystem Security Isolation
Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.
Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.
Ecosystems can be configured as:
Open → With inbound or outbound access from or to the Internet or a third-party
Closed → Fully contained with access limited to Ecosystem members
Hybrid → Where some systems have inbound or outbound Internet access while others operate fully contained.
Assets Acreto Secures
Supported Technologies Detail
-
Access Technologies
-
Devices
-
Computer (Org Owned or BYOD)
-
Mobile Phone / Tablet (Org Owned or BYOD)
-
-
Offices
-
Headquarters
-
Branch
-
Small Office / Home Office
-
-
Internet-of-Things (IoT)
-
ATMs
-
HVAC
-
Elevator Controls
-
Fire Safety
-
Smart TV
-
many more…
-
-
Third Parties
-
Offices
-
Devices
-
Remote Users
-
-
-
Application Delivery Technologies
-
Data Center
-
Networks
-
Servers
-
Virtual Machines
-
Containers
-
-
Clouds
-
Cloud Instances
-
Cloud VPCs / Cloud Networks
-
-
SaaS / Third-Party Applications
-
Eliminate the Internet Attack Surface
Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.
Eliminate the Internal Attack Surface
Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with
- Micro-Segmentation Segmenting groups of systems on any shared network, including hostile networks or the entire network.
- Nano-Segmentation Isolating an individual system, device or application to limit access only to other authorized Ecosystem members.
Isolated Data Flows
Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.
Encrypted Secure Scan
Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.
Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.
Controls
Access Control
Identity with MFA
- User Authorizes access to the Ecosystem by a user’s identity, including MFA, as authenticated by the organizations Directory Services such as Active Directory or LDAP, as well as third-party Identity Service Providers such as Okta, Ping, Duo, and CloudJump among others.
- Device Specifies a unique identity to each device to validate that a specified device that does not rely on a user to operate – such as an autonomous application or IoT, is allowed to join the Ecosystem.
Network Protocol / Port
Control the network protocol (TCP, UDP, ICMP) and Port (1-65535) any Ecosystem member can use to communicate with any other Ecosystem member or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Protocol
Control the application protocol (HTTP, DNS, SMTP, SMB, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Application Program
Control the application program (MS-Exchange, Oracle, Facebook, GMail, etc…) any Ecosystem member can use to communicate with any other Ecosystem members or Internet resource by IP, user or device identity. Both inbound and outbound Internet flows are supported.
Content
Content Category
Control communication based on content categories such as Adult, Gambling, Politics, Malware sites among 90+ category options.
File Type Upload / Download Controls
Control upload / download of files by type such .EXE, PDF, XLS, DOC, SCR, and MSI among hundreds of options.
Data Leak Prevention
Prevent data leaks by identifying and mitigating the upload or download of sensitive data such as:
- Credit Cards Upload / Download Controls
- Social Security Number Upload / Download Controls
- RegEx Pattern Upload / Download Controls
Threat Prevention
After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:
- Threat Signature Identifies and mitigates known bad exploits, malware, botnets and ransomware.
- Zero-Day Behavioral Analysis Looks for behavioral indication of threats based on how system functions react to the payload, immediately and over time.
Simplicity
Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.
Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.
Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.
Sustainability
Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.
Change Management
Different Ecosystems operate completely independently from one-another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.
Policy Management
Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.
Mechanism of Attack
-
APT-Q-27 uses a double DLL sideloading technique to execute a trojanized app.
-
The victim executes the installer of the trojanized app.
-
The installer drops components on the system and creates a desktop shortcut and a system startup entry.
-
When the victim launches the desktop shortcut, a command is executed on the system.
-
The command runs a renamed version of ‘regsvr32.exe’ (‘appR.exe’) to execute a renamed version of ‘scrobj.dll’ (‘appR.dll’) and supplies a DAT file (‘appR.dat’) as input to it.
-
The DAT contains JavaScript code for execution by the script execution engine library (‘appR.dll’).
-
The JavaScript code launches the Telegram app user interface in the foreground while installing various sideloading components in the background.
-
The installer loads a second-stage application using a clean dependency (‘libexpat.dll’) to load a second clean application as an intermediate attack stage.
-
The final payload DLL is decrypted from a txt file (‘templateX.txt’) and executed on the system.
-
About Acreto
Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.