Windows continues to dominate the desktop and laptop operating system market with a 76% market share. Given this dominance, it’s perhaps unsurprising that most malware targets Windows operating systems. But with the majority of companies deploying advanced antivirus tools on their endpoints, threat actors need to figure out how to evade these defenses.
A technique that’s often effective in tricking Windows systems into loading malicious code is DLL side-loading. The DLL side-loading technique regularly pops up when security analysts probe advanced persistent threats (APTs) to find out how they work. This article explains what DLL side-loading is, why it’s effective and some mitigation tips to stop it from reaching its target.
A dynamic-link library (DLL) is a shared library of reusable code that different applications can load at runtime in Windows operating systems. These DLLs contain functions and instructions that other programs can call upon when needed. The benefits of DLLs include more efficient use of memory and facilitating modularity (you can change the code in a DLL without needing to change all the applications that use it).
DLL side-loading is a technique that takes advantage of how Windows attempts to search for DLLs. Executable programs come with manifest files, which are essentially text documents that specify the DLLs that should be loaded at runtime by the program. In order for DLL side-loading to succeed, hackers seek out legitimate applications with improper or vague DLL references in their manifest files.
In particular, these attacks target Windows Side-by-Side (WinSxS) manifest files that aren’t specific enough about the DLLs that the application should load or that don’t validate the file paths. By replacing a legitimate DLL with a malicious one, an adversary can essentially use a legitimate application to load malicious code from the directory path where WinSxS DLLs are located.
The typical DLL side-loading attack works by sending a targeted (spear) phishing email to a recipient. This email contains a legitimate compressed program, usually as a .zip or .rar file, and a convincing pretext to persuade the recipient to open the program.
Because the file is legitimate, it won’t flag the antivirus tools that are meant to protect the user’s system from malicious code. However, under the hood of this decoy, the legitimate program acts as a loader for the malicious DLL. Attackers can then progress further with their nefarious aims by using the malicious DLL to run other processes and connect to command and control servers.
The effectiveness of DLL side-loading in evading antivirus defenses makes it a popular choice in many modern cyberattacks:
The notorious REvil ransomware gang used DLL side-loading on a Microsoft digitally signed file to achieve their aims (the file was Msmpeng.exe, which, ironically, is an executable file that runs Microsoft Malware Protection Engine). At run-time, Msmpeng.exe executed the gang’s ransomware binary, which was masqueraded as a legitimate DLL (MpSvc.dll).
Tactics like this led the REvil gang members to net an estimated profit of $100 million from their ransomware operations. DLL side-loading proves useful in these multi-phase ransomware attacks that require payload delivery, evasion of common defenses and persistence.
The APT group Mustang Panda used DLL side-loading in a campaign that targeted organizations in Europe and Asia Pacific regions in 2022. The campaign piggybacked off the geopolitical instability instigated by the ongoing Russia-Ukraine war. Targets received compressed email attachments alluding to “Political Guidance for the new EU approach toward Russia.”
Upon executing a file contained in the email attachment, the attack chain begins. DLL side-loading is used to load a malicious DLL, which executes shellcode. This shellcode then decrypts and executes a final malicious payload in memory, known as PlugX. The PlugX remote access trojan has regularly been used by Chinese threat actors to conduct cyber espionage through capabilities such as data exfiltration, keystroke grabbing and backdoor functionality.
Babuk is a ransomware strain that emerged in 2021 and affected several large enterprises through double extortion attacks that locked down their systems and exfiltrated sensitive documents. The full source code for Babuk was released by one of the gang’s members in 2021. This leak provided the information needed for anyone to create their own ransomware executable based on Babuk.
In November 2022, a Babuk variant emerged that hit a large manufacturing company. This variant uses DLL side-loading by exploiting a legitimate Windows debugger tool that has side-loading vulnerabilities (the debugger executes DLLs without validating their paths). A malicious DLL is loaded instead of a legitimate library of the same name. Loading this DLL progresses the attack until the final payload is delivered.
Because this technique evades standard antivirus solutions, it requires a more targeted and proactive approach to detect and mitigate:
The prevalence of DLL side-loading in advanced cyberattacks highlights the value of effective detection and response capabilities. Organizations that rely solely on their antivirus or anti-malware solutions are in for a rude awakening. Detection and response capabilities come from skilled analysts using real-time, proprietary analysis, better tools and threat data to unearth DLL side-loading.