Shared Modules
Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API). Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective. The Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen` and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib` files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017) The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in `NTDLL.dll` and is part of the Windows Native API which is called from functions like `LoadLibrary` at run time.(Citation: Microsoft DLL)
Procedure Examples |
|
Name | Description |
---|---|
gh0st RAT |
gh0st RAT can load DLLs into memory.(Citation: Gh0stRAT ATT March 2019) |
Hydraq |
Hydraq creates a backdoor through which remote attackers can load and call DLL functions.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010) |
PUNCHBUGGY |
PUNCHBUGGY can load a DLL using the LoadLibrary API.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
Stuxnet |
Stuxnet calls LoadLibrary then executes exports from a DLL.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
Astaroth |
Astaroth uses the LoadLibraryExW() function to load additional modules. (Citation: Cybereason Astaroth Feb 2019) |
KillDisk |
KillDisk loads and executes functions from a DLL.(Citation: Trend Micro KillDisk 1) |
Metamorfo |
Metamorfo had used AutoIt to load and execute the DLL payload.(Citation: Fortinet Metamorfo Feb 2020) |
DarkWatchman |
DarkWatchman can load DLLs.(Citation: Prevailion DarkWatchman 2021) |
Attor |
Attor's dispatcher can execute additional plugins by loading the respective DLLs.(Citation: ESET Attor Oct 2019) |
FoggyWeb |
FoggyWeb's loader can call the |
RotaJakiro |
RotaJakiro uses dynamically linked shared libraries (`.so` files) to execute additional functionality using `dlopen()` and `dlsym()`.(Citation: RotaJakiro 2021 netlab360 analysis) |
BLINDINGCAN |
BLINDINGCAN has loaded and executed DLLs in memory during runtime on a victim machine.(Citation: US-CERT BLINDINGCAN Aug 2020) |
Bumblebee |
Bumblebee can use `LoadLibrary` to attempt to execute GdiPlus.dll.(Citation: Medium Ali Salem Bumblebee April 2022) |
TajMahal |
TajMahal has the ability to inject the |
Ebury |
Ebury is executed through hooking the keyutils.so file used by legitimate versions of `OpenSSH` and `libcurl`.(Citation: ESET Ebury May 2024) |
BOOSTWRITE |
BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules.(Citation: FireEye FIN7 Oct 2019) |
Dtrack |
Dtrack contains a function that calls |
OSX_OCEANLOTUS.D |
For network communications, OSX_OCEANLOTUS.D loads a dynamic library (`.dylib` file) using `dlopen()` and obtains a function pointer to execute within that shared library using `dlsym()`.(Citation: Unit42 OceanLotus 2017) |
PipeMon |
PipeMon has used call to |
VersaMem |
VersaMem relied on the Java Instrumentation API and Javassist to dynamically modify Java code existing in memory.(Citation: Lumen Versa 2024) |
Mitigations |
|
Mitigation | Description |
---|---|
Execution Prevention |
Block execution of code on a system through application control, and/or script blocking. |
Execution through Module Load Mitigation |
Directly mitigating module loads and API calls related to module loads will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying and correlated subsequent behavior to determine if it is the result of malicious activity. |
Detection
Monitoring DLL module loads may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances, since benign use of Windows modules load functions are common and may be difficult to distinguish from malicious behavior. Legitimate software will likely only need to load routine, bundled DLL modules or Windows system DLLs such that deviation from known module loads may be suspicious. Limiting DLL module loads to `%SystemRoot%` and `%ProgramFiles%` directories will protect against module loads from unsafe paths. Correlation of other events with behavior surrounding module loads using API monitoring and suspicious DLLs written to disk will provide additional context to an event that may assist in determining if it is due to malicious behavior.
References
- Wheeler, D. (2003, April 11). Shared Libraries. Retrieved September 7, 2023.
- Microsoft. (2023, April 28). What is a DLL. Retrieved September 7, 2023.
- Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
- Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.
- Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.
- Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
- Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
- Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
- Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
- Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.
- Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
- Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
- US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
- Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
- GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
- Marc-Etienne M.Léveillé. (2024, May 1). Ebury is alive but unseen. Retrieved May 21, 2024.
- Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
- Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
- Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
- Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024.
Связанные риски
Риск | Связи | |
---|---|---|
Заражение вредоносным программным обеспечением
из-за
возможности использования совместных модулей для выполнения вредоносного кода
в ОС Windows
Доступность
Конфиденциальность
Отказ в обслуживании
Повышение привилегий
Раскрытие информации
Целостность
Искажение
|
1
|
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.