What is DLL Hijacking?

DLL hijacking occurs when cyber attackers inject malicious code into an application, altering the way dynamic link libraries (DLLs) are loaded. One of the most significant hacks in U.S. history, which compromised multiple federal agencies and was likely linked to Russian actors, involved DLL hijacking. This exploit targets Windows platforms and can jeopardize the entire system through a single infected file. Preventative measures include secure coding practices and the ability to detect and test for DLL hijacking. Additionally, a robust security network and well-informed staff are essential to protect your system from cyber threats.

What is DLL hijacking?

When attackers place an infected file on your machine, this file is executed when an application vulnerable to DLL hijacking runs. DLL hijacking is a cyberattack technique that inserts an infected file within an application’s search parameters. When a user tries to load a file from that directory, the infected DLL file is loaded instead. This infected file activates when the application runs. DLL files are often preloaded into a computer, and many applications with DLL files automatically load during startup. This can compromise the entire computer, giving hackers access whenever the file containing the malicious code loads.

What are DLL files?

DLL files, found exclusively on Microsoft operating systems, contain the necessary resources for an application to run correctly. According to Microsoft, much of a Windows operating system’s functionality is provided by the dynamic link library. DLL files typically open when an application loads, enabling programs to run efficiently and conserve hard drive space. Often, DLL files support multiple programs, meaning a single cyberattack involving a DLL hijack could compromise multiple applications with just one infected file.

How does DLL hijacking work?

Windows applications use DLL search protocols to run correctly. By placing a malicious DLL in the targeted application’s directory, attackers can trick the application into loading the infected file instead of the legitimate one. Since the DLL search order of Microsoft applications is published, it can be exploited. For DLL hijacking to work, the attacker must ensure the targeted application searches for the infected file before the legitimate DLL file. This is achieved in several ways:

• Planting a trojan DLL file in a directory that is searched before the legitimate library.
• Using DLL preloading to place an infected DLL with the same name as an ambiguously specified DLL, causing it to be searched for first.
• Modifying the DLL search order through DLL redirection to force the program to load the malicious DLL instead of the legitimate one.

Infected DLL files can be introduced through supply chain attacks, phishing, and social engineering. The higher the privilege order of the file, the more access the attacker has to the system. If the full path of associated DLL files is not specified, Windows applications default to specific DLL search protocols, starting with the directory from which the application is loaded. DLL hijacking takes advantage of this by placing an infected DLL file in this location, ensuring it is loaded before the system directory DLLs. This is called DLL search order hijacking. Malicious DLL files often use a digital signature that mimics the targeted application, making the file appear authentic and avoiding detection, which facilitates the spread of infected DLL files through a supply chain.

How to identify a DLL hijacking attack

Process Explorer, a Windows program, can identify DLL hijacking attempts by showing all file systems being loaded in real time. By applying the correct filters, users can detect DLL files that do not belong. Follow these steps:

1. Install and load Process Explorer.
2. Search for the application suspected of being targeted by DLL hijacking.
3. Press Ctrl + L and apply a filter to show only active files with a path ending in .dll. Click Add and then Apply.
4. Press Ctrl + L again and apply a filter for directories with the result “NAME NOT FOUND” by setting the conditions to Result: NAME NOT FOUND. Click Add and then Apply to display files loading outside the system directory.
5. Press Ctrl + L once more to apply a filter that shows only DLL files within the application’s directory by setting the condition to Path is [path address]. Click Add and then Apply.

Examples of known DLL hijacking threats

DLL hijacking has been a persistent cybersecurity threat for Windows operating systems for many years. Some notable examples of procedures used by various threat actors include:

• APT41: Utilizes search order hijacking.
• FinFisher: Variants employ DLL search order hijacking.
• Chaes: Uses search order hijacking to load malicious DLL payloads.
• Astaroth: Launches itself using search order hijacking.
• BOOSTWRITE: Exploits the loading of legitimate DLL files.
• BackdoorDiplomacy: Employs search order hijacking.
• HinKit: Uses search order hijacking as a persistence mechanism.
• Crutch: Maintains persistence through search order hijacking.
• Downdelph: Escalates privileges by hijacking the search order of .exe files.
• InvisiMole: Launches infected DLLs during startup via search order hijacking.
• HTTPBrowser: Interferes with DLL load order.
• Ramsey: Hijacks outdated Windows applications.
• menuPass: Uses DLL search order hijacking.
• ThreatGroup-3390: Distributes payloads using DLL search order hijacking.
• Whitefly: Infects systems with malicious DLLs via search order hijacking.
• RTM: Interferes with TeamViewer through search order hijacking.
• Tonto team: Loads malicious DLLs by interfering with legitimate Microsoft executables.
• Melcoz: Uses DLL hijacking to bypass security controls.

How to Prevent DLL Hijacking

The primary defense against DLL hijacking rests with software developers, who must adhere to secure coding practices and specify the exact locations of all associated DLL files to prevent Windows from relying on its default DLL search path protocol.

However, since secure coding practices cannot offer absolute guarantees, organizations should bolster their defenses with additional measures:

• Keep antivirus software up-to-date: While antivirus software may not catch all sophisticated supply chain attack tactics, it remains effective in detecting and blocking many malicious DLL injection attempts. Regular updates ensure that the antivirus software’s detection methods remain effective.
• Utilize DLLSPY: This software serves as an effective defense against DLL hijacking, capable of detecting privilege escalation vulnerabilities. It is readily available on GitHub.
• Educate staff about phishing and social engineering: Preventing DLL hijacking hinges on mitigating the introduction of malicious DLL files into an ecosystem. Staff education on identifying the warning signs of social engineering and phishing attacks, along with implementing best security practices, is crucial. Best practices include establishing an accessible Information Security Policy, enforcing multi-factor authentication, and routing suspicious emails to designated staff members for review before engagement.
• Strengthen security posture: Continuous monitoring of the attack surface allows organizations to promptly identify vulnerabilities within their ecosystems, reducing the risk of DLL hijack attacks. BreachSight by UpGuard facilitates this process by identifying all risks and tracking remediation efforts.
• Implement a vendor risk management solution: Given the prevalence of supply chain attacks resulting from vendors’ inadequate cybersecurity practices, organizations should adopt innovative vendor risk management technologies. Solutions like Vendor Risk by UpGuard enable continuous monitoring of the security posture of the entire vendor network.

FAQ’s

What is DLL hijacking?

DLL hijacking occurs when cyber attackers inject malicious code into an application, altering the way dynamic link libraries (DLLs) are loaded. This allows them to compromise the system through a single infected file.

How do DLL files contribute to DLL hijacking?

DLL files, exclusive to Microsoft operating systems, contain resources necessary for applications to run. Attackers exploit vulnerabilities in the DLL search path protocol to trick applications into loading infected DLL files instead of legitimate ones, compromising system integrity.

How can DLL hijacking be detected?

Tools like Process Explorer can identify DLL hijacking attempts by monitoring file systems in real time. Users can apply filters to identify suspicious DLL files that do not belong, helping to detect and thwart such attacks.

What are some known examples of DLL hijacking threats?

Notable examples include APT41, FinFisher, and menuPass, which employ various methods such as search order hijacking to compromise systems and distribute payloads.

What preventative measures can be taken against DLL hijacking?

Software developers should adhere to secure coding practices and specify DLL file locations. Organizations should keep antivirus software updated, utilize tools like DLLSPY, educate staff on phishing and social engineering, strengthen security posture, and implement vendor risk management solutions to mitigate the risk of DLL hijacking attacks.

Conclusion

DLL hijacking remains a significant cybersecurity threat for Windows operating systems. By understanding the nature of DLL hijacking, detecting potential attacks with tools like Process Explorer, and implementing robust preventative measures, organizations can effectively safeguard their systems. Emphasizing secure coding practices, educating staff, maintaining updated antivirus software, and continuously monitoring for vulnerabilities are essential steps in protecting against this pervasive threat. With a comprehensive approach to security, it is possible to minimize the risks associated with DLL hijacking and ensure the integrity of your systems.