DLL Side-loading Attack

This post explains what is a DLL side-loading attack in the context of IT security.

 

What is a DLL Side-loading Attack?

A Dynamic Linked Library (DLL) is a file that is used on Windows systems to group functions. By using DLLs, common functionality can be isolated and re-usability is enabled.

As DLL are particular for Windows OS, DLL side-loading attack apply only to this OS.

In Windows, programs can define which libraries are loaded at runtime by specifying a full path or using another mechanism such as a manifest. A program manifest is an external file within an application used to manage the names and versions of DLLs that applications load on execution.

A program manifest can include DLL redirections, filenames or full paths. If a manifest refers to only a library filename, it is considered a weak reference and is vulnerable to a DLL side-loading attack. If a manifest refers to only a library filename, it is considered a weak reference and is vulnerable to a DLL side-loading attack.

A DLL side-loading attack is an adversarial technique that aims to take advantage of weak library references and the default Windows search order by placing a malicious DLL file masquerading as a legitimate DLL on a system, which will be automatically loaded by a legitimate program.

 

Examples of real DLL side-loading attacks

This attack was used in the APT against DoD of United Stated¬†disclosed on July 2020, that was allegedly performed by two Chinese hackers LI Xiaoyu and DONG Jiazhi. This is explained on Darknet Diaries podcast #103 “Cloud Hopper”.

 

External references

Leave a Reply

Your email address will not be published. Required fields are marked *