Skip to content

T1574.002 DLL Side-Loading

Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).

Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.1

Item Value
ID T1574.002
Sub-techniques T1574.001, T1574.002, T1574.004, T1574.005, T1574.006, T1574.007, T1574.008, T1574.009, T1574.010, T1574.011, T1574.012, T1574.013
Tactics TA0003, TA0004, TA0005
Platforms Windows
Version 2.0
Created 13 March 2020
Last Modified 30 March 2023

Procedure Examples

ID Name Description
G0073 APT19 APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.56
G0022 APT3 APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.5815
G0050 APT32 APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).223168
G0096 APT41 APT41 used legitimate executables to perform DLL side-loading of their malware.61
S0128 BADNEWS BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.3536
S0127 BBSRAT DLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable, ssonsvr.exe. The Citrix executable was dropped along with BBSRAT by the dropper.9
G0098 BlackTech BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.39
G0060 BRONZE BUTLER BRONZE BUTLER has used legitimate applications to side-load malicious DLLs.64
S1063 Brute Ratel C4 Brute Ratel C4 has loaded a malicious DLL by spoofing the name of the legitimate Version.DLL and placing it in the same folder as the digitally-signed Microsoft binary OneDriveUpdater.exe.2
G0114 Chimera Chimera has used side loading to place malicious DLLs in memory.45
S1041 Chinoxy Chinoxy can use a digitally signed binary (“Logitech Bluetooth Wizard Host Process”) to load its dll into memory.23
S0660 Clambling Clambling can store a file named mpsvc.dll, which opens a malicious mpsvc.mui file, in the same folder as the legitimate Microsoft executable MsMpEng.exe to gain execution.1320
S0354 Denis Denis exploits a security vulnerability to load a fake DLL and execute its code.22
G1006 Earth Lusca Earth Lusca has placed a malicious payload in %WINDIR%\SYSTEM32\oci.dll so it would be sideloaded by the MSDTC service.47
S0624 Ecipekac Ecipekac can abuse the legitimate application policytool.exe to load a malicious DLL.28
S0554 Egregor Egregor has used DLL side-loading to execute its payload.6
S0182 FinFisher FinFisher uses DLL side-loading to load malicious programs.1819
G0093 GALLIUM GALLIUM used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.44
S0032 gh0st RAT A gh0st RAT variant has used DLL side-loading.21
S0477 Goopy Goopy has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google.31
G0126 Higaisa Higaisa’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the OINFO12.OCX dynamic link library.52
S0070 HTTPBrowser HTTPBrowser has used DLL side-loading.5
S0398 HyperBro HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.34
S0528 Javali Javali can use DLL side-loading to load malicious DLLs into legitimate executables.40
S0585 Kerrdown Kerrdown can use DLL side-loading to load malicious DLLs.8
G0032 Lazarus Group Lazarus Group has replaced win_fw.dll, an internal component that is executed during IDA Pro installation, with a malicious DLL to download and execute a payload.65
S0582 LookBack LookBack side loads its communications module as a DLL into the libcurl.dll loader.10
G1014 LuminousMoth LuminousMoth has used legitimate executables such as winword.exe and igfxem.exe to side-load their malware.6766
G0045 menuPass menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.145960
S1059 metaMain metaMain can support an HKCMD sideloading start method.7
S0455 Metamorfo Metamorfo has side-loaded its malicious DLL file.242526
G0069 MuddyWater MuddyWater maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware.34
G0129 Mustang Panda Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.484950
G0019 Naikon Naikon has used DLL side-loading to load malicious DLL’s into legitimate executables.46
S0630 Nebulae Nebulae can use DLL side-loading to gain execution.37
C0012 Operation CuckooBees During Operation CuckooBees, the threat actors used the legitimate Windows services IKEEXT and PrintNotify to side-load malicious DLLs.69
S0664 Pandora Pandora can use DLL side-loading to execute malicious payloads.4
G0040 Patchwork A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.51
S0013 PlugX PlugX has used DLL side-loading to evade anti-virus.1551614121311
S1046 PowGoop PowGoop can side-load Goopdate.dll into GoogleUpdate.exe.3433
S0650 QakBot QakBot has the ability to use DLL side-loading for execution.32
S0629 RainyDay RainyDay can use side-loading to run malicious executables.37
S0662 RCSession RCSession can be installed via DLL side-loading.271311
S0074 Sakula Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee’s Outlook Scan About Box to load malicious DLL files.17
G1008 SideCopy SideCopy has used a malicious loader DLL file to execute the credwiz.exe process and side-load the malicious payload Duser.dll.57
G0121 Sidewinder Sidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.43
S0663 SysUpdate SysUpdate can load DLLs through vulnerable legitimate executables.4
S0098 T9000 During the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.38
G0027 Threat Group-3390 Threat Group-3390 has used DLL side-loading, including by using legitimate Kaspersky antivirus variants as well as rc.exe, a legitimate Microsoft Resource Compiler.55355354
G0081 Tropic Trooper Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools.6263
S0579 Waterbear Waterbear has used DLL side loading to import and load a malicious DLL loader.39
S0176 Wingbird Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.4142
S0230 ZeroT ZeroT has used DLL side-loading to load malicious payloads.2930

Mitigations

ID Mitigation Description
M1013 Application Developer Guidance When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.1
M1051 Update Software Update software regularly to include patches that fix DLL side-loading vulnerabilities.

Detection

ID Data Source Data Component
DS0022 File File Creation
DS0011 Module Module Load
DS0009 Process Process Creation

References

  1. Amanda Steward. (2014). FireEye DLL Side-Loading: A Thorn in the Side of the Anti-Virus Industry. Retrieved March 13, 2020. 

  2. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. 

  3. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. 

  4. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  5. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. 

  6. Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020. 

  7. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. 

  8. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021. 

  9. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016. 

  10. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. 

  11. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. 

  12. Lancaster, T. and Idrizovic, E.. (2017, June 27). Paranoid PlugX. Retrieved July 13, 2017. 

  13. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  14. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  15. Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016. 

  16. Stewart, A. (2014). DLL SIDE-LOADING: A Thorn in the Side of the Anti-Virus Industry. Retrieved November 12, 2014. 

  17. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016. 

  18. FinFisher. (n.d.). Retrieved December 20, 2017. 

  19. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. 

  20. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. 

  21. Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018. 

  22. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. 

  23. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  24. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. 

  25. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. 

  26. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. 

  27. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. 

  28. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. 

  29. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018. 

  30. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. 

  31. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  32. Vilkomir-Preisman, S. (2022, August 18). Beating Black Basta Ransomware. Retrieved March 8, 2023. 

  33. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022. 

  34. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. 

  35. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. 

  36. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. 

  37. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. 

  38. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016. 

  39. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021. 

  40. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. 

  41. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017. 

  42. Microsoft. (2017, November 9). Backdoor:Win32/Wingbird.A!dha. Retrieved November 27, 2017. 

  43. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. 

  44. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. 

  45. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. 

  46. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. 

  47. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  48. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. 

  49. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021. 

  50. Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021. 

  51. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  52. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021. 

  53. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. 

  54. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. 

  55. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018. 

  56. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018. 

  57. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. 

  58. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016. 

  59. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. 

  60. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. 

  61. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  62. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019. 

  63. Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020. 

  64. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. 

  65. Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022. 

  66. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. 

  67. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. 

  68. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. 

  69. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.