A sophisticated new malware/trojan attack is designed to steal login credentials and credit card information from payment systems, banks and crypto exchanges. This attack tricks legitimate business applications into running compromised but innocent-looking dynamic link library (DLL) files — making it very difficult to detect and block.

DLL sideloading is a technique used by cybercriminals to execute malicious code on a target system by exploiting the way Windows loads dynamic link libraries (DLLs). This blog explores how Check Point’s advanced Threat Emulation engines, part of Infinity ThreatCloud AI, detected and prevented a DLL Sideloading attack on one of our customers.

How does DLL Sideloading Work?

Sideloading abuses the common Window’s process that allows the operating system to load applications. Hackers accomplish this exploit in three steps:

• Identification: The attacker identifies a vulnerable application that can be exploited
• Malicious DLL: The attacker places a seemingly legitimate but compromised DLL file in a directory. When an application runs, it searches for required DLLs in specific directories. If the attacker’s DLL is present in one of these directories, it gets automatically loaded alongside the legitimate application.
• Execution of Malicious Code: The compromised DLL contains the attacker’s payload. By sideloading it, the attacker can execute their malicious code within the context of the legitimate application.

The primary advantage of DLL sideloading for cybercriminals is that a legitimate application loads a malicious DLL, making it challenging to identify, as the DLL is executed within the context of the trusted application.

Casbaneiro: A DLL Sideloading Case Study

One of Check Point’s customers in Mexico were being targeted by a new version of the Latin American banking trojan, “Casbaneiro.” This malware utilizes legitimate resources from Amazon and GitHub to carry out DLL sideloading attacks.

The malware employed a seemingly innocent executable, originally named “identity_helper.exe” and renamed “mssedge.exe,” to sideload a malicious DLL named “msedge_elf.dll.”

The trojan was detected by Check Point’s Threat Emulation engine in three distinct attacks on customers, each identified by a unique sample hash.

Figure 1 – attack flow

The attack chain started with a malicious MSI file from an Amazon AWS URL, which extracted a ZIP file containing the vulnerable executable file (Microsoft Edge PWA Identity Proxy Host) and the malicious DLL (msedge_elf.dll) [figure 1]. The DLL was then used to connect to a GitHub project [figure 2], which stores an obfuscated address of a C&C server [figure 3].

Figure 2 – runtime snapshot

Figure 3 – the attacker abused GitHub to hide the C&C in encrypted form

The sample decrypted the buffer to an HTTP path which serves as a C2 (hxxp://pushline.gotdns[.]ch/onBo/). Once the decryption is done, the sample tried to communicate with the cyber criminals that created it. [Figure 4].

Figure 4 – C&C initial communication snapshot

Finaly, the malware scanned the tabs of active browsers (IE, Chrome, Explorer, Firefox) and email services (Outlook and Microsoft 365) in an attempt to obtain login credentials and credit card information from a variety of payment systems, banks, and cryptocurrency exchanges (“Banamex,” “Bank of America,” and “Binance”).

Three commercial organizations in Mexico were attacked, including retail stores and enterprises. Fortunately, all the above were protected by Threat Emulation’s engines, an explanation of which is below.

Threat Emulation Detection

Threat emulation analyzed statistics or EXE-DLL pairs to identify whether a legitimate EXE was accompanied by an anomalous DLL partner. The approach involves verifying if the executable file is susceptible to DLL sideloading for a specific DLL name, and then evaluating the current DLL against this condition.

Threat Emulation leverages ThreatCloud AI’s extensive knowledge to identify known executables files vulnerable to DLL sideloading and searches for a DLL companion. If one is found, the DLL undergoes emulation alongside the executable to trigger malicious activities. Furthermore, these DLLs undergo deep static inspection and analysis using dedicated Machine Learning models. Lastly, Threat Emulation verifies that the DLL isn’t officially used with its companion to minimize false positives.

With Check Point’s Threat Emulation, you get the full package of DLL security containing multiple engines to secure your organization against attacks as described above.

Check Point customers using Quantum and Harmony products with activated Threat Emulation are protected against the campaigns detailed in this report.

To learn about Check Point threat prevention, schedule a demo or a free security checkup to assess your security posture.