"Double DLL Sideloading" helps cyber thugs better avoid detection on targeted networks.
A group of attackers known as "Dragon Breath", "Golden Eye Dog" or "APT-Q-27" is showing a new trend of using sophisticated variations on the classic malware DLL loading technique to avoid possible detection.
These attack variants begin with a "clean" application that does not perform malicious functions on its own. Most often, this is the Telegram application, which then downloads the payload of the second stage, also “clean”, therefore not fixed by antivirus tools. And it, in turn, becomes a channel for installing malicious software.
As mentioned above, trojanized versions of the Telegram app are usually the bait for victims, but researchers have also come across variations of malware hidden in LetsVPN or WhatsApp programs. All of these applications are aimed at Chinese-speaking Windows users, who entice potential victims with the presence of Chinese localization, which the official versions of the above applications do not have. The surge in malicious activity recorded by Sophos analysts occurred in China, Hong Kong, Japan, Taiwan, Singapore and the Philippines.
DLL Sideloading is a technique used by attackers since 2010. It exploits a highly vulnerable way of loading DLL files on Windows systems. Cybercriminals place a malicious DLL with the same name as a legitimate required DLL into a specific application directory. When a user runs an application executable, the system prioritizes the malicious DLL from the program folder over the one in the Windows system directories.
A malicious DLL typically contains malicious code that is loaded and grants privileges to execute arbitrary commands on a compromised computer using a trusted signed application as an entry point.
In the campaign reviewed by Sophos, the victims launch the installer of the Trojanized applications mentioned above, which drops the malicious components into the system. The installer also creates a shortcut on the desktop, and at the same time in the Windows Startup directory.
As mentioned above, the second stage downloader is also a "blank" file, often even digitally signed by large technology companies, usually trustworthy, such as HP or Baidu. And already this application, through the second introduction of a malicious DLL library, leads to the download and installation of a full-fledged backdoor into the target system, enabling attackers to perform any actions on a compromised computer.
"Dual DLL Sideloading" provides evasion, obfuscation, and system persistence, making it difficult for defenders to adapt to specific attack patterns and effectively protect their networks.
In summary, DLL Sideloading has been an effective method of malicious hacking for more than a decade, and when combined with sophisticated evasion techniques used by cybercriminals, this threat becomes even more dangerous.