DLL Sideloading Exploit Targets Banking and Payment Systems

An organization in India is being attacked on average 2927 times per week in the last 6 months, compared to 1368 attacks per organization globally. In Q4 2022, India recorded over 300 million cases of malware attacks per day

author-image
SMEStreet Edit Desk
New Update
Harish Kumar.jpg
Listen to this article
0.75x 1x 1.5x
00:00 / 00:00

Different levels of attacks are slowing growing in the community – beyond just your usual phishing or deepfakes attempts. This sophisticated new malware/trojan attack is designed to steal login credentials and credit card information from payment systems, banks and crypto exchanges. This attack also  tricks legitimate business applications into running compromised but innocent-looking dynamic link library (DLL) files -- making it very difficult to detect and block.

An organization in India is being attacked on average 2927 times per week in the last 6 months, compared to 1368 attacks per organization globally. In Q4 2022, India recorded over 300 million cases of malware attacks per day, accounting for 5.81% of the global virus count. Specifically, 41% of the malware detected in India was a Trojan, while 33% was an infector. The Mirai botnet malware attack targeted home routers and IoT devices, affecting 2.5 million devices in the country. Other notable attacks include the Petya ransomware, which caused a computer lockdown and disrupted operations at one of India's largest seaports, and the BSNL malware attack, which impacted nearly 2,000 broadband modems, rendering 60,000 of them dysfunctional.

DLL sideloading is a technique used by cybercriminals to execute malicious code on a target system by exploiting the way Windows loads dynamic link libraries (DLLs). This blog explores how Check Point’s advanced Threat Emulation engines, part of Infinity ThreatCloud AI, detected and prevented a DLL Sideloading attack on one of our customers.

How does DLL Sideloading Work?

Sideloading abuses the common Window’s process that allows the operating system to load applications. Hackers accomplish this exploit in three steps:

  • Identification: The attacker identifies a vulnerable application that can be exploited
  • Malicious DLL: The attacker places a seemingly legitimate but compromised DLL file in a directory. When an application runs, it searches for required DLLs in specific directories. If the attacker’s DLL is present in one of these directories, it gets automatically loaded alongside the legitimate application.
  • Execution of Malicious Code: The compromised DLL contains the attacker’s payload. By sideloading it, the attacker can execute their malicious code within the context of the legitimate application.

The primary advantage of DLL sideloading for cybercriminals is that a legitimate application loads a malicious DLL, making it challenging to identify, as the DLL is executed within the context of the trusted application.

Casbaneiro: A DLL Sideloading Case Study

One of Check Point’s customers in Mexico were being targeted by a new version of the Latin American banking trojan, “Casbaneiro.” This malware utilizes legitimate resources from Amazon and GitHub to carry out DLL sideloading attacks.

The malware employed a seemingly innocent executable, originally named "identity_helper.exe" and renamed "mssedge.exe," to sideload a malicious DLL named "msedge_elf.dll."

The trojan was detected by Check Point’s Threat Emulation engine in three distinct attacks on customers, each identified by a unique sample hash.

 

attack flow

Figure 1 – attack flow

The attack chain started with a malicious MSI file from an Amazon AWS URL, which extracted a ZIP file containing the vulnerable executable file (Microsoft Edge PWA Identity Proxy Host) and the malicious DLL (msedge_elf.dll) [figure 1]. The DLL was then used to connect to a GitHub project [figure 2], which stores an obfuscated address of a C&C server [figure 3].

runtime snapshot

Figure 2 – runtime snapshot

 

the attacker abused GitHub to hide the C&C in encrypted form

Figure 3 – the attacker abused GitHub to hide the C&C in encrypted form

The sample decrypted the buffer to an HTTP path which serves as a C2 (hxxp://pushline.gotdns[.]ch/onBo/). Once the decryption is done, the sample tried to communicate with the cyber criminals that created it. [Figure 4].

C&C initial communication snapshot

Figure 4 – C&C initial communication snapshot

Finaly, the malware scanned the tabs of active browsers (IE, Chrome, Explorer, Firefox) and email services (Outlook and Microsoft 365) in an attempt to obtain login credentials and credit card information from a variety of payment systems, banks, and cryptocurrency exchanges ("Banamex," "Bank of America," and "Binance").

Three commercial organizations in Mexico were attacked, including retail stores and enterprises. Fortunately, all the above were protected by Threat Emulation’s engines, an explanation of which is below.

Threat Emulation Detections

Threat emulation analyzed statistics or EXE-DLL pairs to identify whether a legitimate EXE was accompanied by an anomalous DLL partner. The approach involves verifying if the executable file is susceptible to DLL sideloading for a specific DLL name, and then evaluating the current DLL against this condition.

Threat Emulation leverages ThreatCloud AI’s extensive knowledge to identify known executables files vulnerable to DLL sideloading and searches for a DLL companion. If one is found, the DLL undergoes emulation alongside the executable to trigger malicious activities. Furthermore, these DLLs undergo deep static inspection and analysis using dedicated Machine Learning models. Lastly, Threat Emulation verifies that the DLL isn’t officially used with its companion to minimize false positives.

With Check Point’s Threat Emulation, you get the full package of DLL security containing multiple engines to secure your organization against attacks as described above.

Check Point customers using Quantum and Harmony products with activated Threat Emulation are protected against the campaigns detailed in this report.

Banking Payment Systems