Skip to content

T1129 Shared Modules

Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess, LoadLibrary, etc. of the Win32 API.1

The module loader can load DLLs:

  • via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;

  • via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);

  • via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;

  • via <file name=”filename.extension” loadFrom=”fully-qualified or relative pathname”> in an embedded or external “application manifest”. The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.

Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.

Item Value
ID T1129
Sub-techniques
Tactics TA0002
Platforms Windows
Version 2.1
Created 31 May 2017
Last Modified 19 April 2022

Procedure Examples

ID Name Description
S0373 Astaroth Astaroth uses the LoadLibraryExW() function to load additional modules. 17
S0438 Attor Attor‘s dispatcher can execute additional plugins by loading the respective DLLs.11
S0520 BLINDINGCAN BLINDINGCAN has loaded and executed DLLs in memory during runtime on a victim machine.18
S0415 BOOSTWRITE BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules.8
S1039 Bumblebee Bumblebee can use LoadLibrary to attempt to execute GdiPlus.dll.7
S0673 DarkWatchman DarkWatchman can load DLLs.5
S0567 Dtrack Dtrack contains a function that calls LoadLibrary and GetProcAddress.2
S0661 FoggyWeb FoggyWeb‘s loader can call the load() function to load the FoggyWeb dll into an Application Domain on a compromised AD FS server.12
S0032 gh0st RAT gh0st RAT can load DLLs into memory.9
S0203 Hydraq Hydraq creates a backdoor through which remote attackers can load and call DLL functions.34
S0607 KillDisk KillDisk loads and executes functions from a DLL.15
S0455 Metamorfo Metamorfo had used AutoIt to load and execute the DLL payload.6
S0501 PipeMon PipeMon has used call to LoadLibrary to load its installer. PipeMon loads its modules using reflective loading or custom shellcode.14
S0196 PUNCHBUGGY PUNCHBUGGY can load a DLL using the LoadLibrary API.13
S0603 Stuxnet Stuxnet calls LoadLibrary then executes exports from a DLL.10
S0467 TajMahal TajMahal has the ability to inject the LoadLibrary call template DLL into running processes.16

Mitigations

ID Mitigation Description
M1038 Execution Prevention Identify and block potentially malicious software executed through this technique by using application control tools capable of preventing unknown DLLs from being loaded.

Detection

ID Data Source Data Component
DS0011 Module Module Load
DS0009 Process OS API Execution

References

  1. Wikipedia. (2017, January 31). Microsoft Windows library files. Retrieved February 13, 2017. 

  2. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. 

  3. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018. 

  4. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018. 

  5. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  6. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. 

  7. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022. 

  8. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019. 

  9. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. 

  10. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22  

  11. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. 

  12. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. 

  13. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  14. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. 

  15. Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021. 

  16. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. 

  17. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. 

  18. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.