Hackers start using double DLL sideloading to evade detection

An APT hacking group known as "Dragon Breath," "Golden Eye Dog," or "APT-Q-27" is demonstrating a new trend of using several complex variations of the classic DLL sideloading technique to evade detection.

These attack variations begin with an initial vector that leverages a clean application, most often Telegram, that sideloads a second-stage payload, sometimes also clean, which in turn, sideloads a malicious malware loader DLL.

The lure for victims is trojanized Telegram, LetsVPN, or WhatsApp apps for Android, iOS, or Windows that have been supposedly localized for people in China. The trojanized apps are believed to be promoted using BlackSEO or malvertizing.

According to Sophos analysts who followed the threat actor's recent attacks, the targeting scope of this campaign is focused on Chinese-speaking Windows users in China, Japan, Taiwan, Singapore, Hong Kong, and the Philippines.

Double DLL sideloading

DLL sideloading is a technique exploited by attackers since 2010, taking advantage of the insecure way Windows loads DLL (Dynamic Link Library) files required by an application.

The attacker places a malicious DLL with the same name as the legitimate, required DLL in an application's directory. When the user launches the executable, Windows prioritizes the local malicious DLL over the one in the system folders.

The attacker's DLL contains malicious code that loads at this stage, giving the attacker privileges or running commands on the host by exploiting the trusted, signed application that is loading it.

In this campaign, the victims execute the installer of the mentioned apps, which drops components on the system and creates a desktop shortcut and a system startup entry.

If the victim attempts to launch the newly created desktop shortcut, which is the expected first step, instead of launching the app, the following command is executed on the system.

The command runs a renamed version of 'regsvr32.exe' ('appR.exe') to execute a renamed version of 'scrobj.dll' ('appR.dll') and supplies a DAT file ('appR.dat') as input to it. The DAT contains JavaScript code for execution by the script execution engine library ('appR.dll').

The JavaScript code launches the Telegram app user interface in the foreground while installing various sideloading components in the background.

Next, the installer loads a second-stage application using a clean dependency ('libexpat.dll') to load a second clean application as an intermediate attack stage.

In one variation of the attack, the clean application "XLGame.exe" is renamed to "Application.exe," and the second-stage loader is also a clean executable, signed by Beijing Baidu Netcom Science and Technology Co., Ltd.

In another variation, the second-stage clean loader is "KingdomTwoCrowns.exe," which is not digitally signed, and Sophos couldn't determine what advantage it offers besides obfuscating the execution chain.

In a third variation of the attack, the second-stage loader is the clean executable "d3dim9.exe," digitally signed by HP Inc.

This "double DLL sideloading" technique achieves evasion, obfuscation, and persistence, making it harder for defenders to adjust to specific attack patterns and effectively shield their networks.

The final payload

In all observed attack variations, the final payload DLL is decrypted from a txt file ('templateX.txt') and executed on the system.

This payload is a backdoor that supports several commands, such as system reboot, registry key modification, fetching files, stealing clipboard content, executing commands on a hidden CMD window, and more.

The backdoor also targets the MetaMask cryptocurrency wallet Chrome extension, aiming to steal digital assets from victims.

In summary, DLL sideloading remains an effective attack method for hackers and one that Microsoft and developers have failed to address for over a decade.

In the latest APT-Q-27 attack, analysts observed DLL sideloading variations that are challenging to track; hence they achieve a stealthier infection chain.