Safeguarding Against DLL Sideloading (Trojan) Attacks: Leveraging ThreatCloud AI’s Threat Emulation Engine as an answer
By-Harish Kumar GS, Head of Sales, India and SAARC, Check Point Software Technologies
Different levels of attacks are slowing growing in the community – beyond just your usual phishing or deepfakes attempts. This sophisticated new malware/trojan attack is designed to steal login credentials and credit card information from payment systems, banks and crypto exchanges. This attack also tricks legitimate business applications into running compromised but innocent-looking dynamic link library (DLL) files — making it very difficult to detect and block.
An organization in India is being attacked on average 2927 times per week in the last 6 months, compared to 1368 attacks per organization globally. In Q4 2022, India recorded over 300 million cases of malware attacks per day, accounting for 5.81% of the global virus count. Specifically, 41% of the malware detected in India was a Trojan, while 33% was an infector. The Mirai botnet malware attack targeted home routers and IoT devices, affecting 2.5 million devices in the country. Other notable attacks include the Petya ransomware, which caused a computer lockdown and disrupted operations at one of India’s largest seaports, and the BSNL malware attack, which impacted nearly 2,000 broadband modems, rendering 60,000 of them dysfunctional.
DLL sideloading is a technique used by cybercriminals to execute malicious code on a target system by exploiting the way Windows loads dynamic link libraries (DLLs). This blog explores how Check Point’s advanced Threat Emulation engines, part of Infinity ThreatCloud AI, detected and prevented a DLL Sideloading attack on one of our customers.
How does DLL Sideloading Work?
Sideloading abuses the common Window’s process that allows the operating system to load applications. Hackers accomplish this exploit in three steps:
Identification: The attacker identifies a vulnerable application that can be exploited
Malicious DLL: The attacker places a seemingly legitimate but compromised DLL file in a directory. When an application runs, it searches for required DLLs in specific directories. If the attacker’s DLL is present in one of these directories, it gets automatically loaded alongside the legitimate application.
Execution of Malicious Code: The compromised DLL contains the attacker’s payload. By sideloading it, the attacker can execute their malicious code within the context of the legitimate application.
The primary advantage of DLL sideloading for cybercriminals is that a legitimate application loads a malicious DLL, making it challenging to identify, as the DLL is executed within the context of the trusted application.
Casbaneiro: A DLL Sideloading Case Study
One of Check Point’s customers in Mexico were being targeted by a new version of the Latin American banking trojan, “Casbaneiro.” This malware utilizes legitimate resources from Amazon and GitHub to carry out DLL sideloading attacks.
The malware employed a seemingly innocent executable, originally named “identity_helper.exe” and renamed “mssedge.exe,” to sideload a malicious DLL named “msedge_elf.dll.”