The Curse of DLL Side-Loading

DLL Side-Loading has always been a thorn for AV products from the time it came to existence. It is so reliable that it quickly gained popularity among threat actors thereby increasing the number of attacks using the same. In recent times, Chinese APT groups have been leveraging DLL side-loading techniques to orchestrate ransomware attacks. In short, DLL side-loading is a technique that uses malicious DLLs which look legitimate and relies on legitimate executables to load these DLLs without proper checks and execute them.

Following this trend, we recently came across a zip file submission in threatbook.cn with the title “Bitdefender” as depicted in Figure 1. When unzipped, the folder has four files among which is a legitimate Bitdefender 2019 binary, vulnerable to DLL side-loading and a log.dll which is a malicious DLL loaded along with the Bitdefender binary when executed as depicted in Figure 2. 

C:\Users\k7user\Desktop\Blog\19\new_bit\images\Figure 1.PNG
Figure 1: Submission on threakbook.cn

C:\Users\k7user\Desktop\Blog\19\new_bit\images\Figure 2.PNG
Figure 2: Extracted Content of the zip file

The binaries found in the zip archive are 64-bit files and when executed, the bdservicehost.exe named as USOPrivate.exe loads the log.dll using LoadLibraryW API as depicted in Figure 3.

C:\Users\k7user\Desktop\Blog\19\new_bit\images\Figure 3.jpeg
Figure 3: Loading log.dll

First of all, the log.dll retrieves the function like VirtualAlloc, ReadFile, VirtualProtect using the LoadLibrary and GetProcAddress routine. Then it allocates space using VirtualAlloc API as shown in Figure 4. Using ReadFile API it reads the encrypted content from file USOPrivate.dat and moves it to the allocated space and changes its characteristic to executable using VirtualProtect API.

C:\Users\k7user\Desktop\Blog\19\new_bit\images\Figure 4.JPG
Figure 4: VirtualAlloc and ReadFile

The content of USOPrivate.dat has two parts as described in Figure 5. Byte 0x0 to 0x7c8 has the code which is responsible for decrypting and decompressing the fully functional PlugX RAT PE file which is present in the second part of the file, that is bytes after 0x7c8.

C:\Users\k7user\Desktop\Blog\19\new_bit\images\Figure 5.PNG
Figure 5: Content of USOPrivate.dat

The flow is transferred to the first part of the code by log.dll. The first step is to retrieve the API function used in the code by using GetProcAddress routine. Then it allocates the memory using VirtualAlloc API and decrypts all the bytes after offset 0x7c8 as depicted in Figure 6.

C:\Users\k7user\Desktop\Blog\19\new_bit\images\Figure 6.JPG
Figure 6: Decryption Routine and Content after 1st Level Decryption

Then it again allocates a virtual space to decompress the content received after first level decryption by using RtlDecompressBuffer API as depicted in Figure 7.

C:\Users\k7user\Desktop\Blog\19\new_bit\images\Figure 7.JPG
Figure 7: Decompressing the Bytes

The PE file received after decompression is a fully functional PlugX RAT and the C2 contacted by the PlugX payload is caonimade[.]11i[.]me as depicted in Figure 8.

C:\Users\k7user\Desktop\Blog\19\new_bit\images\Figure 8.png
Figure 8: C2 URL

PlugX RAT

PlugX is a fully loaded RAT with functionalities such as upload, download, keystroke logging, collecting webcam information and remote cmd.exe shell which made its debut in 2014 and became famous since then. It is still being used by Chinese APT groups in multitude of attacks where the recent one being the ransomware attack.

The PlugX checks if it has SeDebugPrivilege and SeTcbPrivilege and if not modifies it accordingly. SeDebugPrivilege is required to debug and adjust the memory of a process owned by another account irrespective of the security descriptor (that is it grants access to a process to inspect and change another process). Process with SeTcbPrivilege is considered as part of the trusted computer base.

C:\Users\k7user\Desktop\Blog\19\new_bit\ida\adjust token privilage.PNG
Figure 9: Adjusting Privilege

For persistence, it adds Run entry and vbs file in the Startup location.

C:\Users\k7user\Desktop\Blog\19\new_bit\ida\runentry.PNG
Figure 10: Run Entry for Persistence

It also checks for clipboard data as depicted in Figure 11 along with the date.

C:\Users\k7user\Desktop\Blog\19\new_bit\ida\Figure 11.PNG
Figure 11: Clipboard Data

Then it logs the keystrokes. First, it checks the key state using GetAsyncKeyState API and masking it with 0x8000 to see if it is high or low which is key pressed or released respectively as depicted in Figure 12. Then it uses switch case statements to get and save the appropriate keys.

C:\Users\k7user\Desktop\Blog\19\new_bit\ida\Figure 12.PNG
Figure 12: Retrieving Keystrokes

It then gathers information of all the disk space available and also the information of some removable drives attached or plugged in as depicted in Figure 13.

C:\Users\k7user\Desktop\Blog\19\new_bit\ida\Figure 13.PNG
Figure 13: Disk Storage Space Information

Some of the other functions it can do which is already mentioned in several blogs are process injection to svchost.exe, upload and download files using InternetReadFile, InternetWriteFile, URLDownloadFile API etc., execute remote shellcodes retrieved from C2, gather information about all the running processes in the system etc. On the whole, it has all the functions to take over your system completely.

These kinds of RATs can do heavy damage by themselves and you can imagine how it would be  if it downloads additional payload like ransomware, coin miners onto the system. This DLL side-loading technique along with the PlugX RAT are heavily used by Chinese APT groups like Mustang Panda, APT27 and Winnti.

Here at K7Labs we actively monitor such malware and have proactive detection for all these files. So stay safe from these kinds of attacks in this pandemic situation by using a reputed AV product such as “K7 Total Security”.

Indicators Of Compromise (IOCs)

MD5File NameK7 Detection Name
03797703F999E8E5029EDBEE30446ED2log.dllRiskware ( 0040eff71 )
DDC3BBA6EB84E83822958D0273945C60decompressed PlugX binaryRiskware ( 0040eff71 )

C2

caonimade[.]11i[.]me