T1574.002 DLL Side-Loading
Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.1
Item | Value |
---|---|
ID | T1574.002 |
Sub-techniques | T1574.001, T1574.002, T1574.004, T1574.005, T1574.006, T1574.007, T1574.008, T1574.009, T1574.010, T1574.011, T1574.012, T1574.013 |
Tactics | TA0003, TA0004, TA0005 |
Platforms | Windows |
Version | 2.0 |
Created | 13 March 2020 |
Last Modified | 30 March 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0073 | APT19 | APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.56 |
G0022 | APT3 | APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.5815 |
G0050 | APT32 | APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).223168 |
G0096 | APT41 | APT41 used legitimate executables to perform DLL side-loading of their malware.61 |
S0128 | BADNEWS | BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.3536 |
S0127 | BBSRAT | DLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable, ssonsvr.exe. The Citrix executable was dropped along with BBSRAT by the dropper.9 |
G0098 | BlackTech | BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.39 |
G0060 | BRONZE BUTLER | BRONZE BUTLER has used legitimate applications to side-load malicious DLLs.64 |
S1063 | Brute Ratel C4 | Brute Ratel C4 has loaded a malicious DLL by spoofing the name of the legitimate Version.DLL and placing it in the same folder as the digitally-signed Microsoft binary OneDriveUpdater.exe.2 |
G0114 | Chimera | Chimera has used side loading to place malicious DLLs in memory.45 |
S1041 | Chinoxy | Chinoxy can use a digitally signed binary (“Logitech Bluetooth Wizard Host Process”) to load its dll into memory.23 |
S0660 | Clambling | Clambling can store a file named mpsvc.dll , which opens a malicious mpsvc.mui file, in the same folder as the legitimate Microsoft executable MsMpEng.exe to gain execution.1320 |
S0354 | Denis | Denis exploits a security vulnerability to load a fake DLL and execute its code.22 |
G1006 | Earth Lusca | Earth Lusca has placed a malicious payload in %WINDIR%\SYSTEM32\oci.dll so it would be sideloaded by the MSDTC service.47 |
S0624 | Ecipekac | Ecipekac can abuse the legitimate application policytool.exe to load a malicious DLL.28 |
S0554 | Egregor | Egregor has used DLL side-loading to execute its payload.6 |
S0182 | FinFisher | FinFisher uses DLL side-loading to load malicious programs.1819 |
G0093 | GALLIUM | GALLIUM used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.44 |
S0032 | gh0st RAT | A gh0st RAT variant has used DLL side-loading.21 |
S0477 | Goopy | Goopy has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google.31 |
G0126 | Higaisa | Higaisa’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the OINFO12.OCX dynamic link library.52 |
S0070 | HTTPBrowser | HTTPBrowser has used DLL side-loading.5 |
S0398 | HyperBro | HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.34 |
S0528 | Javali | Javali can use DLL side-loading to load malicious DLLs into legitimate executables.40 |
S0585 | Kerrdown | Kerrdown can use DLL side-loading to load malicious DLLs.8 |
G0032 | Lazarus Group | Lazarus Group has replaced win_fw.dll , an internal component that is executed during IDA Pro installation, with a malicious DLL to download and execute a payload.65 |
S0582 | LookBack | LookBack side loads its communications module as a DLL into the libcurl.dll loader.10 |
G1014 | LuminousMoth | LuminousMoth has used legitimate executables such as winword.exe and igfxem.exe to side-load their malware.6766 |
G0045 | menuPass | menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.145960 |
S1059 | metaMain | metaMain can support an HKCMD sideloading start method.7 |
S0455 | Metamorfo | Metamorfo has side-loaded its malicious DLL file.242526 |
G0069 | MuddyWater | MuddyWater maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware.34 |
G0129 | Mustang Panda | Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.484950 |
G0019 | Naikon | Naikon has used DLL side-loading to load malicious DLL’s into legitimate executables.46 |
S0630 | Nebulae | Nebulae can use DLL side-loading to gain execution.37 |
C0012 | Operation CuckooBees | During Operation CuckooBees, the threat actors used the legitimate Windows services IKEEXT and PrintNotify to side-load malicious DLLs.69 |
S0664 | Pandora | Pandora can use DLL side-loading to execute malicious payloads.4 |
G0040 | Patchwork | A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.51 |
S0013 | PlugX | PlugX has used DLL side-loading to evade anti-virus.1551614121311 |
S1046 | PowGoop | PowGoop can side-load Goopdate.dll into GoogleUpdate.exe .3433 |
S0650 | QakBot | QakBot has the ability to use DLL side-loading for execution.32 |
S0629 | RainyDay | RainyDay can use side-loading to run malicious executables.37 |
S0662 | RCSession | RCSession can be installed via DLL side-loading.271311 |
S0074 | Sakula | Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee’s Outlook Scan About Box to load malicious DLL files.17 |
G1008 | SideCopy | SideCopy has used a malicious loader DLL file to execute the credwiz.exe process and side-load the malicious payload Duser.dll .57 |
G0121 | Sidewinder | Sidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.43 |
S0663 | SysUpdate | SysUpdate can load DLLs through vulnerable legitimate executables.4 |
S0098 | T9000 | During the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.38 |
G0027 | Threat Group-3390 | Threat Group-3390 has used DLL side-loading, including by using legitimate Kaspersky antivirus variants as well as rc.exe , a legitimate Microsoft Resource Compiler.55355354 |
G0081 | Tropic Trooper | Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools.6263 |
S0579 | Waterbear | Waterbear has used DLL side loading to import and load a malicious DLL loader.39 |
S0176 | Wingbird | Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.4142 |
S0230 | ZeroT | ZeroT has used DLL side-loading to load malicious payloads.2930 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1013 | Application Developer Guidance | When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.1 |
M1051 | Update Software | Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0022 | File | File Creation |
DS0011 | Module | Module Load |
DS0009 | Process | Process Creation |
References
-
Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020. ↩↩
-
Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. ↩
-
Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. ↩↩
-
Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. ↩↩↩
-
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. ↩↩↩
-
Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020. ↩
-
SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. ↩
-
Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021. ↩
-
Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016. ↩
-
Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. ↩
-
Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. ↩↩
-
Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017. ↩
-
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. ↩↩↩
-
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. ↩↩
-
Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016. ↩↩
-
Stewart, A. (2014). DLL SIDE-LOADING: A Thorn in the Side of the Anti-Virus Industry. Retrieved November 12, 2014. ↩
-
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016. ↩
-
Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. ↩
-
Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. ↩
-
Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018. ↩
-
Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. ↩↩
-
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. ↩
-
Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. ↩
-
Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. ↩
-
ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. ↩
-
Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. ↩
-
GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. ↩
-
Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018. ↩
-
Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. ↩
-
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. ↩↩
-
Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023. ↩
-
Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022. ↩
-
FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. ↩↩
-
Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. ↩
-
Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. ↩
-
Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. ↩↩
-
Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016. ↩
-
Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021. ↩↩
-
GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. ↩
-
Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017. ↩
-
Microsoft. (2017, November 9). Backdoor:Win32/Wingbird.A!dha. Retrieved November 27, 2017. ↩
-
Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. ↩
-
Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. ↩
-
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. ↩
-
CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. ↩
-
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. ↩
-
Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. ↩
-
Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021. ↩
-
Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021. ↩
-
Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. ↩
-
PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021. ↩
-
Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. ↩
-
Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. ↩
-
Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018. ↩
-
Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018. ↩
-
Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. ↩
-
Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016. ↩
-
Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. ↩
-
Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. ↩
-
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. ↩
-
Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019. ↩
-
Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020. ↩
-
Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. ↩
-
Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022. ↩
-
Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. ↩
-
Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. ↩
-
Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. ↩
-
Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. ↩