Cybercriminals have been leveraging a sophisticated technique known as DLL side-loading to deliver malicious Python code, bypassing traditional security measures.
This method exploits how Windows applications handle Dynamic Link Library (DLL) files, allowing attackers to execute arbitrary code with elevated privileges.
Recently, a specific campaign was uncovered where attackers used a ZIP archive named “Hootsuite (1).zip” to distribute malware.
The archive contained a copy of the Haihaisoft PDF reader, which has a known DLL side-loading vulnerability.
Exploitation Process
When the PDF reader is executed from a directory extracted from the ZIP archive, it loads a malicious DLL named “msimg32.dll” instead of the legitimate Microsoft version.
This malicious DLL is significantly larger than the official version, likely to avoid detection by security tools due to performance considerations.
Once loaded, the behavior of the PDF reader changes dramatically, as observed during debugging.
The attackers also included a decoy PDF file in the archive to distract from the malicious activity.
The malware delivery process involves unpacking and installing a Python environment. A batch script is used to fetch a Python bot from a remote server.
To evade detection, the attackers renamed “python.exe” to “synaptics.exe” and implemented persistence by adding a registry entry that runs the malicious script at startup.
According to the Report, the script also uses Base64 encoding to hide its true nature.
Bypassing Security Measures
DLL side-loading is particularly effective because it exploits the trust relationship between software and its environment, allowing malicious activity to bypass signature-based detection mechanisms.
Since the malicious code is executed within the context of a legitimate application, it often gains elevated privileges, making it a significant threat.
This technique has been widely used by sophisticated threat actors, including state-sponsored groups and cybercriminal syndicates, to deploy various types of malware, such as information stealers, backdoors, and ransomware.
The use of Python in this campaign highlights the versatility of DLL side-loading, as it can be combined with other techniques like process hollowing to inject shellcode into legitimate processes.
As seen in other campaigns, such as SEO#LURKER and PlugX malware, DLL side-loading remains a preferred method for evading detection and maintaining persistence in compromised systems.
Organizations must enhance their detection capabilities to counter these sophisticated attacks, focusing on endpoint telemetry and behavioral analysis to identify malicious activity that bypasses traditional security controls.
