Hackers use double DLL sideloading to avoid detection

Μια ομάδα hacking APT γνωστή ως “Dragon Breath”, “Golden Eye Dog” ή “APT-Q-27” επιδεικνύει μια νέα τάση που χρησιμοποιεί διάφορες πολύπλοκες παραλλαγές της κλασικής DLL sideloading to avoid detection.

These attack variants start with an initial actor leveraging a clean application, most often Telegram, which transfers a secondary, sometimes clean, payload that in turn transfers a malware DLL.

The lure for victims is the Trojanized Telegram, LetsVPN or WhatsApp for Android, iOS or Windows purportedly targeted for people in China. Trojan applications are believed to be promoted using BlackSEO or malvertizing.

According to Sophos analysts who have been monitoring the recent attacks, the targeting scope of this campaign is focused on Windows users in China, Japan, Taiwan, Singapore, Hong Kong and the Philippines.

apt hacking group

Double DLL sideloading

DLL sideloading is a technique that attackers have been exploiting since 2010, exploiting the way Windows loads Dynamic Link Library (DLL) files required by an application.

The attacker places a malicious DLL with the same name as the legitimate, required DLL in an application's directory. When the user launches the executable, Windows prioritizes the local malicious DLL over the one in the system folders.

The attacker's DLL contains malicious code that is loaded at this point, giving the attacker privileges or executing commands on the host, exploiting the trusted, signed application that loads it.

Victims run the installer of the mentioned apps, which creates a shortcut on the surface.

If the victim tries to launch the shortcut you find on the desktop, which is the expected first step, instead of launching the application, it runs in the following command.


The command executes a of 'regsvr32.exe' ('appR.exe') to run a version of 'scrobj.dll' ('appR.dll') and provides a DAT file ('appR.dat') as input. The DAT contains JavaScript code to be executed by the script execution engine library ('appR.dll').

The JavaScript code launches the Telegram app's user interface in the foreground, while installing various parallel loading components in the background.

It then loads an application using a clean dependency ('libexpat.dll') to load a second clean application as an intermediate attack stage.

Σε μια παραλλαγή της επίθεσης, η καθαρή εφαρμογή “XLGame.exe” μετονομάζεται σε “Application.exe” και ο φορτωτής είναι επίσης ένα καθαρό εκτελέσιμο αρχείο, υπογεγραμμένο από την Beijing Baidu Netcom and Technology Co., Ltd.


In another variant, the clean loader is “KingdomTwoCrowns.exe”, which is not digitally signed and Sophos was unable to determine what benefit it offers other than obfuscating the execution chain.

In a third variant of the attack, the loader is the clean executable “d3dim9.exe”, digitally signed by HP Inc.


The final payload

In all observed attack variants, the final DLL payload is decrypted from a txt file (“templateX.txt”) and executed on the system.

This payload is a backdoor that supports various commands such as rebooting the system, modifying registry keys, recovering files, stealing content, running commands in a hidden CMD window, and more.

The backdoor also targets Chrome's MetaMask extension for the MetaMask cryptocurrency wallet, aiming to steal digital assets from victims.

In summary, DLL sideloading remains an effective attack method for hackers, and one that Microsoft and developers have failed to address for over a decade.

In the latest APT-Q-27 attack, analysts observed sideloading DLL variants that are difficult to detect.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.087 registrants.
DLL sideloading

Written by Anastasis Vasileiadis

Translations are like women. When they are beautiful they are not faithful and when they are faithful they are not beautiful.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).