Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Testing DLL Search Order Hijacking against security features.
Message
<blockquote data-quote="Andy Ful" data-source="post: 1001945" data-attributes="member: 32260"><p>This year, Microsoft decided to block by default the macros in MS Office documents downloaded from the Internet. Although this mitigation can be overcome by the attackers, it also caused an increase in other attack vectors like using archives with shortcuts combined with DLL hijacking. One of the examples is the recently discovered campaign of BRONZE PRESIDENT:</p><p>[URL unfurl="false"]https://www.secureworks.com/blog/bronze-president-targets-government-officials[/URL]</p><p></p><p>The infection chain:</p><p>Phishing email ----> RAR archive downloaded and unpacked by the user ---> LNK file (masqueraded as PDF or DOCX) + hidden folder with payloads ---> user opens LNK file ---> DLL hijacking is started</p><p></p><p>This attack method creates a legal process without child processes, so it can fool any protection based on monitoring EXE files and their child processes (some AVs use HIPS rules based on parent-child restrictions). Also, the protections based on the EXE file reputation lookup and many cloud sandboxes can be bypassed in this way.</p><p></p><p>The user can see only something that looks like a document.</p><p></p><p>[ATTACH=full]269056[/ATTACH]</p><p></p><p>The RAR archive is required to fool the mail-scanning protection by using several subfolders with special characters.</p><p>The shortcut file (NV 309-2022 HMA's departure.pdf.lnk) starts the DLL hijacking attack. The legal EXE (Opera.exe renamed to test.chm), malicious DLL, and another encrypted payload are located in the hidden folder with several subfolders:</p><p></p><p>[ATTACH=full]269058[/ATTACH]</p><p></p><p>Nowadays, this kind of attack via DLL hijacking can be easily used in widespread attacks on the home users.</p></blockquote><p></p>
[QUOTE="Andy Ful, post: 1001945, member: 32260"] This year, Microsoft decided to block by default the macros in MS Office documents downloaded from the Internet. Although this mitigation can be overcome by the attackers, it also caused an increase in other attack vectors like using archives with shortcuts combined with DLL hijacking. One of the examples is the recently discovered campaign of BRONZE PRESIDENT: [URL unfurl="false"]https://www.secureworks.com/blog/bronze-president-targets-government-officials[/URL] The infection chain: Phishing email ----> RAR archive downloaded and unpacked by the user ---> LNK file (masqueraded as PDF or DOCX) + hidden folder with payloads ---> user opens LNK file ---> DLL hijacking is started This attack method creates a legal process without child processes, so it can fool any protection based on monitoring EXE files and their child processes (some AVs use HIPS rules based on parent-child restrictions). Also, the protections based on the EXE file reputation lookup and many cloud sandboxes can be bypassed in this way. The user can see only something that looks like a document. [ATTACH type="full" alt="1662762034704.png"]269056[/ATTACH] The RAR archive is required to fool the mail-scanning protection by using several subfolders with special characters. The shortcut file (NV 309-2022 HMA's departure.pdf.lnk) starts the DLL hijacking attack. The legal EXE (Opera.exe renamed to test.chm), malicious DLL, and another encrypted payload are located in the hidden folder with several subfolders: [ATTACH type="full" alt="1662762358193.png"]269058[/ATTACH] Nowadays, this kind of attack via DLL hijacking can be easily used in widespread attacks on the home users. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
