The Silent Threat: How DLL Hijacking Turns Trusted Software Against You
Imagine a security guard at a high-tech facility letting in a known, trusted employee. But hidden in that employee’s briefcase is a device that will compromise the entire building. This is the digital equivalent of a sophisticated cyberattack technique known as DLL Search Order Hijacking, and threat actors are using it with increasing frequency and skill to infiltrate secure networks.
This method isn’t new, but its modern application by advanced threat groups demonstrates a dangerous evolution in stealth and evasion. By exploiting a fundamental process in how Windows applications load resources, attackers can turn legitimate, digitally-signed software into a trojan horse for deploying malware like backdoors and remote access trojans (RATs).
What Exactly is DLL Search Order Hijacking?
To understand the attack, we first need to know what a DLL is. A Dynamic Link Library (DLL) is a file containing code and data that can be used by multiple programs at the same time. Think of them as shared toolkits that applications call upon to perform specific functions.
When an application needs to load a DLL, the Windows operating system searches for it in a predetermined sequence of locations. Crucially, the application’s own directory is one of the first places it looks.
DLL Search Order Hijacking exploits this process. An attacker places a malicious, custom-crafted DLL with the same name as a legitimate one in the application’s directory. When the trusted application starts, it finds and loads the attacker’s malicious DLL first, thinking it’s the legitimate file. This malicious DLL then executes its hidden code, all under the cover of a legitimate, signed process.
Advanced Malware Leveraging This Technique
Security researchers are observing this technique used to deploy several dangerous malware families, often in multi-stage attacks designed to evade detection.
The RainyDay Backdoor
One potent example is a backdoor known as RainyDay. In this attack, threat actors bundle a legitimate, signed executable—such as a component from VMware—with their malicious DLL.
- The legitimate program is launched.
- It inadvertently loads the malicious DLL placed in its directory.
- This malicious DLL then acts as a loader, decrypting and executing the final RainyDay backdoor payload in memory.
Because the initial process is signed by a reputable vendor, it often bypasses basic security checks and application whitelisting rules.
The Turian Backdoor
Similarly, the Turian backdoor uses the same hijacking principle. Attackers have been observed using executables from legitimate security products as the carrier. By using a trusted security tool to launch their attack, they add another layer of deception. The malicious DLL loaded by this process is responsible for executing malicious shellcode, giving the attacker a foothold in the compromised system.
A New and Evolved PlugX Variant
Perhaps most concerning is the use of this technique to deploy a new variant of PlugX, a notorious and highly capable Remote Access Trojan (RAT). This attack is more complex and demonstrates a higher level of sophistication.
The infection chain involves using a legitimate, signed Microsoft executable to launch the initial phase. This executable loads a malicious DLL, which in turn reads an encrypted file bundled with it. This second-stage payload is then decrypted directly into memory and injected into another legitimate system process, such as msiexec.exe. This multi-stage, fileless injection makes the final RAT payload incredibly difficult for traditional antivirus solutions to detect.
Why This Attack Method is So Effective
DLL hijacking remains a favorite among cybercriminals for several key reasons:
- Stealth and Evasion: The malicious activity is executed by a trusted, signed process. This makes it appear as normal system behavior, allowing it to fly under the radar of many security tools.
- Bypassing Security Controls: Because the parent process is legitimate, this technique can effectively bypass application whitelisting solutions that are configured to trust signed executables.
- Persistence: If the hijacked application is one that runs at startup, the malware can achieve persistence, re-launching itself every time the system is rebooted.
Protecting Your Organization: Actionable Security Measures
Defending against DLL Search Order Hijacking requires a multi-layered, defense-in-depth security posture. Simply relying on traditional antivirus is not enough.
- Implement Robust Monitoring: Use an Endpoint Detection and Response (EDR) solution to monitor for suspicious process behaviors. Specifically, look for signed, legitimate processes loading unsigned DLLs from non-standard directories or creating suspicious child processes.
- Scrutinize DLL Loading: Security teams should configure logging to track DLL loading events. A legitimate, signed application suddenly loading a newly created DLL from its own directory is a major red flag that warrants immediate investigation.
- Enforce Application Control: Go beyond simple whitelisting. Implement strict application control policies that not only verify the executable but also the integrity of the modules and DLLs it is allowed to load.
- Secure Software Development: For developers, it’s critical to specify absolute paths when calling DLLs in code. This prevents the operating system from searching in other directories. Enabling “Safe DLL Search Mode” in Windows can also help mitigate some variations of this attack.
- Restrict Permissions: Follow the principle of least privilege. Prevent users and applications from writing to sensitive directories, especially application installation folders. This makes it harder for an attacker to drop their malicious DLL in the target location.
As attackers continue to refine their methods, understanding the mechanics behind techniques like DLL hijacking is no longer optional. By recognizing how trusted processes can be turned into weapons, organizations can build more resilient defenses and better prepare to detect and neutralize these silent threats.
Source: https://blog.talosintelligence.com/how-rainyday-turian-and-a-new-plugx-variant-abuse-dll-search-order-hijacking/
