DLL Sideloading: solutions to protect your workspace

DLL Sideloading: definition 

DLL Sideloading is an offensive technique used for sophisticated attacks and cybercrime. It involves exploiting a legitimate program or binary to force it to load a malicious library.  

Attackers can force a binary to load a malicious library instead of the legitimate version, usually by placing this malicious library in the same folder as the targeted binary.  

As this binary is very often signed or recognized as safe, attackers rely on a trusted program executing malicious code, an effective technique for bypassing security solutions.  

Detecting attempts to hack DLLs also requires the ability to deal with an extremely high number of eventualities, since there are a colossal number of possible combinations between vulnerable executables and the libraries they call upon – and attackers are constantly looking for new ones.  

We’ll see a little later how behavioral analysis can help address this issue, but first, let’s take a closer look at the different types of attacks involving DLLs. 

DLL hijacking attacks 

Among the techniques identified by MITRE, DLL hacking attacks are listed under the heading “Hijack Execution Flow”.   

DLLs can be used simultaneously by several programs and are not intrinsically malicious. On the other hand, attackers can leverage them for persistence, elevation of privileges, or bypassing defenses.   

In short, attackers can use libraries to implement the following techniques: 

• DLL Sideloading 
• DLL Search Order Hijacking 
• DLL Redirection 
• Phantom DLL Hijacking 
• DLL Substitution 

To avoid detection by antivirus or other advanced cybersecurity solutions such as EDRs, malicious code can be included in a compressed or encrypted DLL, or even placed in another encrypted file which is then dynamically decrypted by the malicious DLL. This makes the code more difficult to detect.  

To carry out a DLL Sideloading attack, an attacker typically follows these steps:  

• Initial access (via a vulnerability, compromised access, phishing campaign, Trojan, third party…) 
• Depositing a vulnerable executable in a folder, and depositing a malicious DLL that this executable will load in the same folder 
• Launch of the vulnerable executable, which loads the malicious DLL 
• Execution of the payload present in the DLL 

As we mentioned earlier, it’s unrealistic to anticipate all program-.dll combinations, and to create and maintain blocking rules to deal with them all. To guard against DLL Sideloading attacks, the answer lies in behavioral analysis. 

DLL Sideloading: automatically block malicious behavior 

The activities preceding the loading of a library are a mine of information for detecting attacks: writing, signature, author, location and content of files… all are elements that can be used to anticipate threats targeting an information system.  

In addition, DLL Sideloading attacks often follow the same modus operandi, making detection and categorization of behaviors easier for an EDR, which can associate the sequence of steps with this type of threat to generate alerts.  

To this end, HarfangLab’s Sidewatch engine analyzes the many events that precede the loading of a DLL:   

• Files present in a folder linked to a program and their signatures 
• Location 
• Date since which they have been present on disk 
• Who is running these programs…  

As soon as an unsigned DLL is loaded, all this data can be correlated to define the malicious nature of the loaded DLL, and to signal an attack attempt if necessary. The engine is even able to give details of the attacker’s modus operandi by categorizing the type of attack.  

In this case, the EDR generates a “Security Event”, blocks the process in question, and places the DLL in quarantine. 

Case study of an APT29 DLL Sideloading attack   

Take the example of an attack carried out by the Cozy Bear group:  

• The attackers devise a phishing campaign aimed at targeting recipients with an ISO file pretending to contain a PDF file 
• In reality, the PDF is an LNK file (shortcut) which launches a vulnerable executable placed next to a “sideloader” DLL in the same folder 
• The executable is launched, a fake page displays a fake PDF to the user, and the DLL is loaded by the launched process 

In this case, Sidewatch identifies suspicious actions:   

• Files written to disk in an ISO image and with a signed binary
• And an unsigned DLL in the same folder

Correlating the information generates a security event
and categorizes the action as a Sideloading DLL packaged in ISO.

Find out more about Sidewatch,
our DLL Sideloading detection engine: