DLL Sideloading

Introduction

DLL Sideloading is an advanced and often stealthy technique used by threat actors to execute malicious code on a target system by exploiting the way Windows applications load Dynamic Link Libraries (DLLs). This method leverages legitimate applications to load malicious DLLs, thereby bypassing security controls and gaining unauthorized access to system resources.

Core Mechanisms

DLL Sideloading exploits the default DLL search order used by Windows operating systems. When an application is executed, it may require certain DLLs to function. The process of searching and loading these DLLs follows a specific order:

1. The directory from which the application was loaded
2. The system directory
3. The 16-bit system directory
4. The Windows directory
5. The current directory
6. The directories listed in the PATH environment variable

Attackers take advantage of this search order by placing a malicious DLL in a directory that is searched before the directory containing the legitimate DLL, often the same directory as the executable.

Attack Vectors

DLL Sideloading can be executed through a variety of attack vectors:

• Phishing Emails: Attackers may use phishing emails to deliver a ZIP file containing both a legitimate executable and a malicious DLL.
• Compromised Software Updates: Legitimate software updates may be tampered with to include a malicious DLL.
• Drive-by Downloads: Users visiting compromised or malicious websites may inadvertently download and execute a package containing a malicious DLL.

Attack Flow Diagram

Defensive Strategies

To mitigate the risks associated with DLL Sideloading, organizations can implement several defensive strategies:

• Application Whitelisting: Only allow approved applications to run on the system.
• DLL Monitoring: Use security tools to monitor and alert on DLL loads that deviate from the norm.
• Code Signing: Ensure that all DLLs are signed with a trusted certificate.
• User Education: Train employees to recognize phishing attempts and suspicious files.
• Regular Updates: Keep software and operating systems up-to-date to patch known vulnerabilities.

Real-World Case Studies

Case Study 1: Operation Ke3chang

In this campaign, the Ke3chang group used DLL Sideloading to drop a malicious DLL alongside a legitimate application, exploiting the trust users placed in the legitimate software. This allowed the group to maintain persistence on infected systems and exfiltrate sensitive data.

Case Study 2: ShadowPad

ShadowPad involved the use of DLL Sideloading in a supply chain attack targeting a software vendor. A malicious DLL was included in the vendor's software package, which was then distributed to customers, leading to widespread compromise.

Conclusion

DLL Sideloading remains a potent technique for attackers seeking to exploit the trust relationship between users and legitimate applications. By understanding the mechanisms and implementing robust defensive strategies, organizations can better protect themselves against such threats.