Glance at the attack scenario
- As documented by Uptycs, the attack uses an ISO image file that contains three files: a legitimate binary named ctfmon.exe that’s renamed as eBill-997358806.exe, a MsCtfMonitor.dll file that’s renamed as monitor.ini, and a malicious version of MsCtfMonitor.dll. The attacker hides a malicious DLL within “ctfmon.exe,” which sets the stage for subsequent actions.
- This triggers the malicious DLL, leading to the infiltration of the Quasar RAT payload into the computer’s memory, showcasing the attacker’s ability to bypass security measures.
- Once the Quasar RAT payload is executed in the computer’s memory, it further employs the process hollowing technique that allows it to conceal its malicious intent and make detection more challenging.
DLL sideloading gains traction
- While DLL sideloading is not new, researchers are observing an increase in the adoption of the process by threat actors.
- Recently, a newly discovered threat group named Grayling leveraged the tactic via SbieDll_Hook to load a variety of payloads, such as Cobalt Strike, NetSpy, and Havoc framework, onto the victims’ systems.
- In another incident, a lesser-known Chinese threat actor, ToddyCat, leveraged DLL sideloading to execute malicious payloads against government and telecommunications organizations in Asian countries.
Since DLL sideloading primarily leverages links, emails, or attachments to hide malware, organizations are advised to be wary of such dubious and unfamiliar artifacts to stay safe. Additionally, it is recommended to deploy advanced endpoint security solutions to detect and block suspicious activity at the initial stage.