DLL Hijacking attacks: What is it and how to stay protected?

• DLL Hijacking attacks are broadly categorized into three types - DLL search order attack, DLL side-loading attack, and Phantom DLL Hijacking attack.
• For DLL hijacking attack to be successful, it would require an attacker to trick victims to open a file using a vulnerable application from a remote network location.

DLL Hijacking is an attack vector that could allow attackers to exploit Windows applications search and load Dynamic Link Libraries (DLL). If a web app is vulnerable to DLL Hijacking, attackers can load malicious DLLs in the PATH or other location that is searched by the application and have them executed by the application.

Types of DLL Hijacking attacks

DLL Hijacking attacks are broadly categorized into three types,

• DLL search order attack
• DLL side-loading attack
• Phantom DLL Hijacking attack

DLL search order attack - If Windows OS search for the malicious DLL path in a specific order then it is DLL search order attack. Therefore, a malicious DLL can be placed in the search order, and the executable will load it.

DLL side-loading attack - DLL side-loading attack leverages WinSxS directory.

Phantom DLL Hijacking - Phantom DLL Hijacking attack uses very old DLLs that are still attempted to be loaded by apps. Attackers use this tactic and give the malicious DLL name in the Search Path and the new malicious code will be executed.

How does it work?

For DLL hijacking attack to be successful, it would require an attacker to trick victims to open a file using a vulnerable application from a remote network location. If the vulnerable application tries to load an external DLL from the same location, the attack will most likely be successful.

Examples of DLL Hijacking

Example 1 - Farseer malware employs DLL sideloading technique

Unit 42 research team recently uncovered a new malware dubbed Farseer that frequently-targets the Microsoft Windows operating system. Farseer malware leverages the ‘DLL sideloading’ technique to drop legitimate, signed binaries to the host. The malware uses ‘DLL sideloading’ to evade detection from antivirus software.

Example 2 - KerrDown distributed via DLL side-loading

Researchers recently spotted a custom downloader ‘KerrDown’ which is used by the OceanLotus threat actor group to infect victims with payloads such as Cobalt Strike Beacon.

OceanLotus was responsible for multiple attack campaigns against private sectors across multiple industries, foreign governments, activists, and dissidents connected to Vietnam.

Ocean Lotus threat actors leveraged two methods to deliver the ‘KerrDown’ downloader to the victims

• Microsoft Office document with malicious macro, and
• RAR archive which contains a legitimate program with DLL side-loading.

How to stay protected?

• Researchers recommend enabling SafeDllSearchMode to prevent attackers from exploiting the search path.
• It is also recommended to ensure that only signed DLLs are loaded for most systems process and applications.
• In order to avoid DLL Hijacking, it is best to write secure code for loading DLL from specified path only.