DLL loading by rundll32.exe/ regsvr32.exe– While those processes are signed and known binaries, threat actors abuse them to achieve code execution in an attempt to evade detection.With that in mind, we found that the most common techniques that are being used by threat actors in the wild are the following: To evade detection, the DLLs are loaded by a signed process, whether a utility dedicated to loading DLLs (such as rundll32.exe) or an executable that loads DLLs as part of its activity.
The DLLs are mostly written to unprivileged paths.Most of the malicious DLLs we observe in the wild share three common characteristics: As both individual hackers and APT groups use this method, we decided to conduct research based on this hypothesis. Using Unsigned DLLs to Hunt for Attacks in Your EnvironmentĬonclusion Malicious DLLs: A Common Method Attackers Use for Executing Malicious Payloads on Infected Systemsīased on our observations over years of proactive threat-hunting experience, we hypothesize that one of the main methods for executing malicious payloads on infected systems is loading a malicious DLL. Malicious DLLs: A Common Method Attackers Use for Executing Malicious Payloads on Infected SystemsĪttack Trends in the Wild Related to Unsigned DLLs Mustang Panda, PKPLUG, BRONZE PRESIDENT, HoneyMyte, Red Lich, Baijiu Palo Alto Networks customers receive protections and detections against malicious DLL loading through the Cortex XDR agent. The hunt revealed sophisticated payloads and APT groups in the wild, including the Chinese cyberespionage group Stately Taurus (formerly known as PKPLUG, aka Mustang Panda) and the North Korean Selective Pisces (aka Lazarus Group).īelow, we show how hunting for the loading of unsigned DLLs can help you identify attacks and threat actors in your environment. We’ve commonly observed one method over the past few years: unsigned DLL loading.Īssuming that this method might be used by advanced persistent threats (APTs), we hunted for it. Malware authors regularly evolve their techniques to evade detection and execute more sophisticated attacks.
0 kommentar(er)
