Defending against recent and older cyber attacks

TL; DR

In recent months threat actors have been leveraging alternative means of compromising Windows based systems in order to evade detection. Make certain to download and install software from legitimate sources and where possible make use of the Windows driver blocklist (further recommendations listed below).

====================

By employing techniques such as DLL sideloading (defined below)(first seen in 2010) and bring your own vulnerable driver (BYOVD), threat actors are seeking to increase their chances of success be that information stealing, cryptocurrency theft or the installation of ransomware.

DLL Sideloading

Computer users in China have recently fallen victim to trojanised applications believed to have originated from black search engine optimisation (SEO) results or malicious advertising (malvertising).

The advanced persistent threat (APT) group Dragon Breath has begun to use a variation of a classic DLL sideloading technique (MITRE ATT&CK framework T1574.002) seeking to evade detection in order to infect systems. The applications being targeted by the group are primarily Telegram, LetsVPN and WhatsApp for Android, Apple iOS, or Windows. The group is targeting Chinese speaking users within China, Japan, Taiwan, Singapore, Hong Kong, and the Philippines.

As defined by CrowdStrike, DLL sideloading is “DLL side-loading is the proxy execution of a malicious DLL via a benign executable planted in the same directory, similar to DLL search-order hijacking.” Since the applications loading the malicious DLL are trusted, the DLL will be less likely to be detected. The DLL will also often employ encrypted or obfuscated (more difficult to understand) code to bypass basis anti-malware scanning. With this in mind, this particular attack makes use of an encrypted text file to load its malicious code from (it is the second clean application which loads the malicious DLL).

Within this attack, the DLL deploys a backdoor (a means of hidden access) to the system which accepts commands from the threat actor enabling them to:

1.??????Edit Windows registry keys

2.??????Download files of their choice

3.??????Steal clipboard contents

4.??????Enter commands of the threat actor’s choice into a hidden command prompt window

5.??????Restart the system

6.??????Steal cryptocurrency from the MetaMask Google Chrome extension

Recommended Mitigations

Download software and software updates from trusted sources.

For corporate environments, centralise the deployment and updating of your software seeking to prevent the use of shadow IT as well the use of compromised software installers as seen in the above examples.

For corporate environments, employ the use of EDR, MDR (Managed EDR) or XDR (Extended EDR) solutions to detect and respond to attacks sooner.

====================

Bring Your Own Vulnerable Driver (BYOVD)

As a response to Microsoft blocking the use of macros (a series of commands and instructions that you group together as a single command to accomplish a task automatically) since July 2022, threat actors have increasingly used a technique known as Bring Your Own Vulnerable Driver (BYOVD).

In February 2023, Trend Micro observed the BlackCat ransomware using a signed kernel driver to evade detection by anti-malware and Endpoint Detection and Response (EDR) solutions (the threat actors must already have elevated privileges on a system to install such a driver (sometimes obtained using stolen network credentials or SMS phishing)). Such a capability also enables the threat actors to terminate almost any running security solution.

The use of such drivers is often associated with more sophisticated groups with skills and funding to develop and test them. The use of signed drivers for malicious purposes are used to impair defences and attempt to stay hidden for longer periods due to their ability to “shift left” within the cyber kill chain (thus beginning their attack sooner in the kill chain) blocking detection before they launch their primary attacks within a compromised environment.

Recommended Mitigations

For corporate environments, employ the use of EDR, MDR (Managed EDR) or XDR (Extended EDR) solutions to detect and respond to attacks sooner to detect the indicators of compromise shared by vendors such as Trend Micro for such attacks. A Security information and event management (SIEM) can provide this capability across your entire environment (when its scope encompasses all of your devices).

For consumer and corporate environments, make certain your Windows system has the Windows driver blocklist enabled. Windows Defender (when used as the primary anti-malware solution) can also be used to enable an Attack Surface Reduction rule to block abuse of exploited vulnerable signed drivers.

My thanks to BleepingComputer, The Register, Sophos, Trend Micro and CrowdStrike as references for this article.