Double DLL Sideloading

Hackers start using double DLL sideloading to evade detection

@ndma 04 May 2023

Threat Actor

  • Dragon Breath

  • Golden Eye Dog

  • APT-Q-27


An APT hacking group known as "Dragon Breath," "Golden Eye Dog," or "APT-Q-27" is demonstrating a new trend of using several complex variations of the classic DLL sideloading technique to evade detection. These attack variations begin with an initial vector that leverages a clean application, most often Telegram, that sideloads a second-stage payload, sometimes also clean, which in turn, sideloads a malicious malware loader DLL. The lure for victims is trojanized Telegram, LetsVPN, or WhatsApp apps for Android, iOS, or Windows that have been supposedly localized for people in China. The trojanized apps are believed to be promoted using BlackSEO or malvertizing.

The attacker places a malicious DLL with the same name as the legitimate, required DLL in an application's directory. When the user launches the executable, Windows prioritizes the local malicious DLL over the one in the system folders. The attacker's DLL contains malicious code that loads at this stage, giving the attacker privileges or running commands on the host by exploiting the trusted, signed application that is loading it.

In this campaign, the victims execute the installer of the mentioned apps, which drops components on the system and creates a desktop shortcut and a system startup entry.

This "double DLL sideloading" technique achieves evasion, obfuscation, and persistence, making it harder for defenders to adjust to specific attack patterns and effectively shield their networks.


Last updated