A recent APT campaign highlights how threat actors are adding a layer of complexity to the decade-old DLL sideloading attack, with the aim of avoiding detection and maintaining access to victims' systems.
The known APT group has leveraged the new tactic in attacks targeting Chinese-speaking Windows users - mainly in the Philippines, Japan, Taiwan, Singapore, Hong Kong and China - in order to steal cryptocurrency. Attackers use a website that claims to deliver Chinese-language versions of various applications, like Telegram. While it’s not known how targets first encounter the website (whether it's sent via phishing emails, for instance, or through SEO poisoning), once they download the purported Telegram installer, the sideloading attack begins.
DLL sideloading attacks, long used by threat actors like APT41, Lazarus Group and more, leverage Microsoft’s dynamic-link library (DLL) implementations, which contain code with various functionalities that can be reused by several programs. If an application makes a weak reference to a library (via the manifest specifying which libraries are loaded at runtime), Windows tries to locate the DLL by searching through the directory that loaded the application. Attackers take advantage of this process by putting a malicious DLL in that directory that poses as a legitimate DLL, and then running an application with a weak reference, meaning that the malicious DLL will be loaded and executed. The key here is that the application at the forefront of the attack is legitimate, meaning it won’t be blocked by antivirus protections.
The threat actors observed by Sophos take this attack one step further by adding a second-stage legitimate application into the mix, which is executed after the original application. The first application creates a desktop shortcut that looks for the second application and automatically updates the program, and the second application’s DLL is replaced with a malicious one. This approach is designed to help attackers establish persistence and avoid detection mechanisms, said researchers.
“The latest campaigns add a twist in which a first-stage clean application ‘side’loads a second clean application and auto-executes it,” said Gabor Szappanos with Sophos in an analysis this week. "The second clean application sideloads the malicious loader DLL. After that, the malicious loader DLL executes the final payload.”
After the final payload DLL is loaded into memory and executed, it follows a number of commands, including the abilities to download and execute files, execute commands in a hidden cmd window and get clipboard content. The payload also has a string related to a crypto wallet called MetaMask that is available as a Chrome extension; researchers believe that threat actors are targeting users with this extension installed in order to steal their cryptocurrency.
Researchers say that during their investigation they found several variations of this two-stage application approach used in the sideloading attack. The new alterations made to the DLL sideloading process show that this attack continues to work for threat actors, they said.
“DLL sideloading, first identified in Windows products in 2010 but prevalent across multiple platforms, continues to be an effective and appealing tactic for threat actors,” said Szappanos. “This double-clean-app technique employed by the Dragon Breath [APT] group, targeting a user sector (online gambling) that has traditionally been less scrutinized by security researchers, represents the continued vitality of this approach.”