Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.[1]
ID | Name | Description |
---|---|---|
G0073 | APT19 |
APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.[2] |
G0022 | APT3 |
APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.[3][4] |
G0050 | APT32 |
APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder).[5][6][7] |
G0096 | APT41 |
APT41 used legitimate executables to perform DLL side-loading of their malware.[8] |
S0128 | BADNEWS |
BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.[9][10] |
S0127 | BBSRAT |
DLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable, ssonsvr.exe. The Citrix executable was dropped along with BBSRAT by the dropper.[11] |
G0098 | BlackTech |
BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.[12] |
G0060 | BRONZE BUTLER |
BRONZE BUTLER has used legitimate applications to side-load malicious DLLs.[13] |
G0114 | Chimera |
Chimera has used side loading to place malicious DLLs in memory.[14] |
S0660 | Clambling |
Clambling can store a file named |
S0354 | Denis |
Denis exploits a security vulnerability to load a fake DLL and execute its code.[5] |
S0624 | Ecipekac |
Ecipekac can abuse the legitimate application policytool.exe to load a malicious DLL.[17] |
S0554 | Egregor |
Egregor has used DLL side-loading to execute its payload.[18] |
S0182 | FinFisher |
FinFisher uses DLL side-loading to load malicious programs.[19][20] |
G0093 | GALLIUM |
GALLIUM used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.[21] |
S0032 | gh0st RAT | |
S0477 | Goopy |
Goopy has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google.[6] |
G0126 | Higaisa |
Higaisa’s JavaScript file used a legitimate Microsoft Office 2007 package to side-load the |
S0070 | HTTPBrowser |
HTTPBrowser has used DLL side-loading.[24] |
S0398 | HyperBro |
HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.[25][26] |
S0528 | Javali |
Javali can use DLL side-loading to load malicious DLLs into legitimate executables.[27] |
S0585 | Kerrdown |
Kerrdown can use DLL side-loading to load malicious DLLs.[28] |
G0032 | Lazarus Group |
Lazarus Group has replaced |
S0582 | LookBack |
LookBack side loads its communications module as a DLL into the |
G0045 | menuPass |
menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.[31][32][33] |
S0455 | Metamorfo |
Metamorfo has side-loaded its malicious DLL file.[34][35][36] |
G0129 | Mustang Panda |
Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.[37][38][39] |
G0019 | Naikon |
Naikon has used DLL side-loading to load malicious DLL's into legitimate executables.[40] |
S0630 | Nebulae | |
S0664 | Pandora |
Pandora can use DLL side-loading to execute malicious payloads.[26] |
G0040 | Patchwork |
A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.[42] |
S0013 | PlugX |
PlugX has used DLL side-loading to evade anti-virus.[4][24][43][31][44][15][45] |
S0629 | RainyDay |
RainyDay can use side-loading to run malicious executables.[41] |
S0662 | RCSession |
RCSession can be installed via DLL side-loading.[46][15][45] |
S0074 | Sakula |
Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.[47] |
G0121 | Sidewinder |
Sidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.[48] |
S0663 | SysUpdate |
SysUpdate can load DLLs through vulnerable legitimate executables.[26] |
S0098 | T9000 |
During the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.[49] |
G0027 | Threat Group-3390 |
Threat Group-3390 has used DLL side-loading, including by using legitimate Kaspersky antivirus variants in which the DLL acts as a stub loader that loads and executes the shell code.[24][50][51][25] |
G0081 | Tropic Trooper |
Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools.[52][53] |
S0579 | Waterbear |
Waterbear has used DLL side loading to import and load a malicious DLL loader.[12] |
S0176 | Wingbird |
Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.[54][55] |
S0230 | ZeroT |
ZeroT has used DLL side-loading to load malicious payloads.[56][57] |
ID | Mitigation | Description |
---|---|---|
M1013 | Application Developer Guidance |
When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.[1] |
M1051 | Update Software |
Update software regularly to include patches that fix DLL side-loading vulnerabilities. |
ID | Data Source | Data Component |
---|---|---|
DS0022 | File | File Creation |
File Modification | ||
DS0011 | Module | Module Load |
DS0009 | Process | Process Creation |
Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the introduction of new files/programs. Track DLL metadata, such as a hash, and compare DLLs that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.