THREAT ANALYSIS: Taking Shortcuts… Using LNK Files for Initial Infection and Persistence
In this Threat Analysis report, Cybereason investigates and explores various techniques for abusing the Windows Shortcut file format.
This Threat Analysis Report is part of the Purple Team Series. In this series, the Managed Detection and Response (MDR) and Threat Intelligence teams from the Cybereason Global Security Operations Center (GSOC) explore widely used attack techniques, outline how threat actors leverage these techniques, describe how to reproduce an attack, and report how defenders can detect and prevent these attacks.
Purple Team Series reports include three sections:
DLL side-loading attacks leverage vulnerable software to load malicious DLLs that enable the malware to persist and evade security mechanisms.
DLL side-loading attacks use the DLL search order mechanism in Windows to plant and then invoke a legitimate application that executes a malicious payload. Threat actors commonly use this technique for persistence, privilege escalation, and defense evasion. Traditionally, the technique is called DLL side-loading because the attacks abused the Microsoft SxS (Side by Side) directory.
DLL side-loading has several important advantages:
The challenge of any sort of DLL Side-Loading attack is that the attacker needs “write” permissions to the directory where the DLL needs to be in, at load time.
Traditionally, DLL attacks involved taking advantage of an incorrectly configured manifest file of an executable to drop and successfully execute a malicious DLL in the Microsoft SxS (Side by Side) directory. This is where the ‘’ aspect of the name originated from.
Nowadays, attackers can circumvent the permissions challenge by employing a method where they provide their own DLL to be used for the side-loading.
Attackers who conduct a DLL side-loading attack might follow these steps:
DLL side-loading is a very popular attack technique that MITRE has tracked since 2017. Cybereason has addressed this technique in the following and other publications:
For descriptions of several more DLL side-loading attacks, see the Blue Team section below.
Note: Our example uses an atomic test from the Red Canary Atomic Red Team framework. The Cybereason team modified the test source code and delivery mechanism of this test.
The process of building a DLL side-loading attack is as follows:
|
Automation Tools While you must manually find an executable file that has a DLL that can be side-loaded, you can use tools such as SharpDllProxy to automate finding the exports and building a malicious DLL. |
Lists of side-loadable DLLs are available from sources such as the XForceIR SideLoadHunter repository in GitHub and the Hijack Libs project. For more information about the Hijack Libs project, see the Hijack Libs section in this report.
To manually find executables that are vulnerable to DLL side-loading:
If Process Monitor shows that the executable file tries to locate missing DLL files in the same directory where you run the executable file or in other locations, you might be able to use this executable file in a DLL side-loading attack:
"Libcurl.dll was not found" error message
A DLL side-loading vulnerability affects an older version of GUP.exe. This file is the executable for WinGup, a generic updater for Windows executables that is found in Notepad++, the popular Notepad replacement application. The location of this executable is generally the \Program Files\Notepad++\updater\ directory.
To determine whether GUP.exe could offer a DLL side-loading possibility, we copied GUP.exe to an empty directory and then ran the file. We received the following error message:
The code execution cannot proceed because libcurl.dll was not found. Reinstalling the program may fix this problem.
Next, we started Process Monitor, and then we ran GUP.exe from the empty directory again. The GUP.exe file attempted to locate the libcurl.dll module in the same directory, as well as in multiple additional locations:
Process Monitor output showing GUP.exe attempting to locate libcurl.dll
The screenshot shows GUP.exe attempting to locate the libcurl module in the same directory as well as multiple locations that fall in line with the Windows DLL search order. This tells us that we may be able to create our own libcurl.dll that would be loaded by GUP.exe.
Next, we loaded GUP.exe into IDA Pro to see the import address table (IAT) and found the names of the required functions and exports that the executable imports. The GUP.exe file imports several exports from libcurl.dll:
We could reference the cURL documentation for these exports and build the functions as needed:
Example cURL documentation
Note: The source code from the Red Canary atomic test project shows that the exports do not have to be functional. To facilitate the attack process, the header section of the code only needs to declare these exports:
Header section declaring exports for libcurl.dll
We stored the malicious command in the DllUnregisterServer() method. This method executes at load time when DLL_PROCESS_ATTACH is called from DllMain():
The DllUnregisterServer() method storing the malicious command
At load time, our malicious version of libcurl.dll executed a PowerShell command that retrieved a Meterpreter payload from a remote server.
We used the following attack path:
The following diagram shows the attack path we followed:
To weaponize our attack, we created a shortcut (LNK) file that we modified to call cmd.exe and execute GUP.exe. Gup.exe loads the malicious libcurl.dll file and launches the Meterpreter payload.
To make the LNK file appear legitimate, we changed the icon to look like a document file icon, added comments that appeared to be file metadata, and marked GUP.exe and libcurl.dll as hidden files. We then packaged all the files in a password-protected ZIP file:
Weaponized LNK file
Staged ZIP file ready for delivery
On execution of the LNK, PowerShell launches as expected and we have our meterpreter session:
Meterpreter session
This section describes the analysis of the resulting telemetry created on the victim machine.
After we started the malicious DLL we had created, several processes started.
The Cybereason process tree shows that the LNK file executed GUP.exe. When GUP.exe loaded our malicious DLL, the DLL created child processes of cmd.exe and PowerShell.exe so that the Meterpreter payload could execute:
Process tree showing cmd.exe and PowerShell.exe child processes as seen in the Cybereason Defense Platform
Cybereason detected and created a MalOp for this behavior based on the PowerShell.exe loader:
Child processes resulting from the Meterpreter session commands as seen in the Cybereason Defense Platform
DLL side-loading attacks are common and widespread. Well-known attacks include the Netwire and Remcos and Kaseya attacks in 2021 and Operation SoftCell in 2018. In 2022, the Mustang Panda group leveraged DLL side-loading to load PlugX, a random access Trojan (RAT) with multiple embedded modules that has become widely popular among threat actors.
For more information about the popularity of the DLL side-loading attack technique, see Hijack Labs.
|
Malware |
Vulnerable Software |
DLL Name |
More Information |
|
NetWire, Remcos |
OpenVPN GUI (openvpn-gui.exe) |
libcrypto-1_1.dll |
Cybereason Exposes Campaign Targeting US Taxpayers with NetWire and Remcos Malware |
In March 2021, a campaign targeting US taxpayers delivered two prominent commercial RATs, NetWire and Remcos, with documents that purported to contain tax-related content:
The malicious libcrypto-1_1.dll is side-loaded by the legitimate openvpn-gui.exe, ultimately loading Remcos/NetWire as seen in the Cybereason Defense Platform
The NetWire RAT injects malicious code into tracert.exe, which downloads the OpenVPN client (openvpn-gui.exe) along with a trojanized DLL file called libcrypto-1_1.dll. When a user executes this DLL file, the malware side-loads libcrypto-1_1.dll to the OpenVPN client, ultimately injecting the malicious code into a notepad.exe process that corresponds to NetWire.
|
Malware |
Vulnerable Software |
DLL Name |
More Information |
|
REvil |
Windows Defender (MsMpEng.exe) |
mpsvc.dll |
In 2021, a threat actor used Kaseya, a managed service provider (MSP), to deploy REvil, a ransomware as a service (RaaS) program, in a supply chain attack on companies across the globe.
The REvil malware gained initial access through the Kaseya agentmon.exe agent, then leveraged MsMpEng.exe, the Microsoft Defender vulnerability binary, to side-load a malicious mpsvc.dll module:
Kaseya compromised agent loaded the legitimate msmpeng.exe, which side-loaded a malicious version of mpsvc.dll as seen in the Cybereason Defense Platform
|
Malware |
Vulnerable Software |
DLL Name |
More Information |
|
PoisonIVY (PIVY) |
Samsung RunHelp (RunHelp.exe) |
ssMUIDLL.dll |
Operation SoftCell: A Worldwide Campaign Against Telecommunications Providers |
In 2019, Cybereason identified an advanced persistent attack targeting telecommunications providers that had been underway for several years. One phase used the PoisonIvy (PIVY) RAT to maintain access in the compromised environments:
Runhelp.exe side-loads ssMUIDLL.dll, and spawns nslookup.exe as seen in the Cybereason Defense Platform
This attack used a DLL side-loading technique to drop the PIVY payload along with RunHelp.exe, a trusted and signed Samsung tool:
We analyzed a PlugX malware sample to determine how this malware leverages the DLL side-loading technique.
|
Threat Actor |
Malware |
Vulnerable Software |
DLL name |
|
Mustang Panda |
PlugX |
Adobe Reader (AAM update.exe) |
hex.dll |
Mustang Panda, a Chinese cyberespionage group, has targeted many organizations with a revised version of the PlugX malware. PlugX is a RAT embedded with multiple modules.
The Cybereason GSOC team investigated a 2022 incident in which the Mustang Panda group used a set of files stored on a USB device to load the PlugX payload
The USB device contained four files:
Note: The names of these files can vary. Many payloads have a .dat extension:
The image below represents the attack chain for this incident:
In that incident :
To access a victim's computer, the threat actor executes the initial binary, adobehelp.exe. The Cybereason NGAV engine detects this binary:
Adobeupdate.exe file element as seen in the Cybereason Defense Platform
The signer of the file, Wuhan Aixinsen Technology Co., Ltd., is also the signer for the other malicious executable files in this example. The following process tree results from the execution of adobehelp.exe:
PlugX loading process tree as seen in the Cybereason Defense Platform
First, adobehelp.exe executes adobeupdate.exe, a legitimate binary that is digitally signed by Adobe. However, because adobeupdate.exe is vulnerable to DLL side-loading, adobeupdate.exe side loads a module, hex.dll, from the RECYCLERS.BIN folder instead of loading the legitimate version of hex.dll from its legitimate folder.
The hex.dll module is actually the PlugX loader. The hex.dll module loads and then decrypts adobeupdate.dat to obtain the PlugX payload. The Loaded Modules screen in the Cybereason platform shows the adobeupdate.exe and aam update.exe processes loading the hex.dll file:
Adobeupdate.exe and aam update.exe load hex.dll as seen in the Cybereason Defense Platform
Mustang Panda side-loads the malicious hex.dll file in all subsequent Adobe processes. The Cybereason platform shows access to the hex.dll file in file events related to adobeupdate.exe:
File events associated with the adobeupdate.exe process as seen in the Cybereason Defense Platform
Process Monitor also shows the hex.dll file loading:
Process Monitor showing hex.dll loading
The hex.dll module loads and then decrypts adobeupdate.dat to obtain the actual PlugX payload. Then, when hex.dll has loaded PlugX, the binary copies the different files to another folder, C:\Users\[username]\AAM Updatevlm\, and executes AAM Update.exe from that folder.
The system events related to these processes show adobeupdate.exe reading the adobeupdate.dat file, which is the encrypted PlugX payload:
Process Monitor showing adobeupdate.exe reading adobeupdate.dat
This sample contains a persistence mechanism that has three phases. The malware:
To ensure that a copy of the malicious PlugX loader will remain on the machine even if the USB device is removed, the binary creates a specific folder named C:\Users\[username]\AAM Updatevlm\, and copies the following files to this folder:
Adobeupdate.dat creates C:\Users\[username]\AAM Updatevlm\ and copies files from the USB device
In the host’s Windows registry, the binary sets the following paths to create an Autorun key so that PlugX runs each time a user logs on to the machine:
Registry events associated with the adobeupdate.exe process
Process Monitor shows this behavior:
Process Monitor showing the set registry values
To maintain remote access, the aam update.exe process connects to IP address 45.251.240[.]55:
Network connections from the aam update.exe process as seen in the Cybereason Defense Platform
This IP address, which is linked to Mustang Panda, tries to contact a URL of http[:]//45.251.240[.]55:443/update. The malware connects to TCP ports 443 (HTTPS), 8080, and 8000.
When the filename binary is configured to infect other devices through a USB, the sample executes a BAT file automatically by using the following command:
C:\Windows\system32\cmd.exe /c D:\RECYCLERS.BIN\FEAC369263B0908F\tmp.bat
This BAT file issues the following OS and network reconnaissance commands:
This action creates the following process tree. In this case, this binary is run with the -app argument:
Process tree showing OS and network reconnaissance when USB infection mode is enabled as seen in the Cybereason Defense Platform
To detect DLL side-loading attacks, you can look for specific warning signs or consult open source projects. Signs of DLL side-loading attacks include unsigned DLLs in signed portable executable (PE) files, suspicious loading paths, and timestamps that show gaps between the PE compilation time and DLL loading time:
Legitimate PEs are most often digitally signed, and the DLLs that these PEs load are also often digitally signed. A legitimate, digitally signed PE loading an unsigned DLL can be a sign of an attack, especially if processes are running that have elevated privileges.
DLL side-loading often abuses the Windows DLL search order so that malicious files load before safe files. The paths for these files can include signs that the files are malicious. The paths to legitimate, verified software files generally include clear references to well-known businesses or products. For example, the path to a Cybereason DLL file might be C:/<username>/programs/Cybereason/1234.dll. If a DLL loads from a path that includes text such as “Desktop”, “Downloads”, or “%programdata%”, the DLL might be malicious.
Each PE has a timestamp that indicates the time when the binary file was compiled. If the compilation timestamp for the executable is very different from the timestamp for one of the PE's loaded DLLs, the loaded DLL could be a malicious implant.
Several open source projects address DLL side loading, including Windows Feature Hunter, DLL Spy, and Hijack Libs.
Windows Feature Hunter (WFH) is a proof of concept Python script that uses Frida, a dynamic instrumentation toolkit, to help identify common vulnerabilities or “features” in Windows executables.
WFH can automatically identify potential DLL side-loading and Component Object Model (COM) hijacking opportunities at scale:
Screenshot of the help output of WFH
DLLSpy detects DLL side-loading and and other side-loading attacks in running processes, services, and static PEs by using three approaches:
Example output from DLLSpy
Hijack Libs provides a list of PEs that are vulnerable to DLL side-loading and other DLL hijacking attacks. The repository enables defenders to gain understanding on potentially targeted DLLs within their environments.
Hijack Libs entry for wsc.dll
To efficiently detect DLL side-loading attacks, Cybereason recommends the following:
Cybereason is dedicated to teaming up with Defenders to end cyber attacks from endpoints to enterprise and everywhere else. Learn more about Cybereason XDR powered by Google Chronicle, check out our Extended Detection and Response (XDR) Toolkit, or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
|
Derrick Masters, Principal Security Analyst, Cybereason Global SOC Derrick Masters is a Senior Security Analyst with the Cybereason Global SOC team. He is involved with threat hunting and purple teaming. Derrick's Global Information Assurance Certification (GIAC) professional certifications include GIAC Certified Forensic Analyst (GCFA), GIAC Certified Detection Analyst (GCDA), GIAC Certified Penetration Tester (GPEN), GIAC Python Coder (GPYC), and GIAC Security Essentials Certification (GSEC). |
|
Loïc Castel, Principal Security Analyst, Cybereason Global SOC Loïc Castel is a Principal Security Analyst with the Cybereason Global SOC team. Loïc analyses and researches critical incidents and cybercriminals to better detect compromises. In his career, Loïc has worked as a security auditor in well-known organizations such as the French National Agency for the Security of Information Systems (ANSSI) and as Lead of Digital Forensics & Incident Response at Atos. Loïc loves digital forensics and incident response, but is also interested in offensive aspects such as vulnerability research. |
|
Chen Erlich, Lead Threat Researcher, Cybereason Nocturnus Chen has almost a decade of experience in threat intelligence and research, incident response, and threat hunting. Before joining Cybereason, Chen spent three years dissecting advanced persistent threats (APTs), investigating underground cybercriminal groups, and discovering security vulnerabilities in known vendors. Previously, he served as a Security Researcher in the military forces. |
The Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every continent. Led by cybersecurity experts with experience working for government, the military and multiple industry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves.
All Posts by Cybereason Global SOC Team
In this Threat Analysis report, Cybereason investigates and explores various techniques for abusing the Windows Shortcut file format.
This report provides unique insight into SocGholish and Zloader attacks and provides an overview of the common tactics and techniques in SocGholish infections...