Wednesday06 July 2022

DLL Hijacking used Against Ransomware to Stop Encryption Process

Reading time is around minutes.

The idea of DLL hijacking is a well known one and one that is used by attackers to compromise security tools and even sophisticated anti-malware solutions. DLLs (Dynamic Link Library) are not much more than static files that sit idle on a system until loaded. These libraries contain information that is important to the operation of the program calling it. If an attacker can replace a DLL with one of their own that prevents or alters the operation of the calling program, they have successfully hijacked it. Because of the flexibility and shared nature of DLL they are an easy target.

Now a security researcher has discovered that more than a few strains of ransomware are vulnerable to DLL hijacking in the same way legitimate code is. The researcher, who goes by the name of hyp3rlinx, reviewed samples of ransomware from Conti, REvil, Black Basta, and LockBit. During his review of these samples, he found that they were also (ironically) vulnerable to the same style of DLL hijacking. In this case the hijacking could be used to block the execution of the encryption phase of the malware.

hyp3rlinx then went about building a proof of concept for each of the reviewed ransomware variants to show how the vulnerability in the malware could ne exploited to control and stop the malware before it was able to encrypt, and possibly exfiltrate, any data. They have videos of each of the exploits in action to show how it works. They also have a listing of the hashes that they built the PoC to work on. This means that while the versions used for testing are vulnerable to this, the groups responsible for the malware could have already patched their code to guard against the DLL hijacking.

For those looking to try out their PoC they have each type of malware they have identified as vulnerable and have PoC code that needs to be compiled into DLL form. In the case of the version of Conti they reviewed (Hash 0b0b902af452e1c949a609a3b29a9de21dac639846c77427de06e6e63c1fe904), you would compile a DLL called netapi32.dll and place it in a likely area for Conti execution. When Conti calls this DLL (without validating it) the newly crafted DLL will terminate the execution of the Conti ransomware.

The concept of vulnerabilities in malware is not a new one as there are vulnerabilities in just about everything. This is also not the first time that a vulnerability in malware has been used to disrupt its operation. We have seen vulnerabilities and flaws in ransomware used to decrypt the ransomware without the use of the threat actor’s own encryption keys. Still this project and the researcher’s efforts are a welcome addition to the existing security tools that are out there. It adds another level of protection that could be difficult to get around for vulnerable versions of malware. We will be keeping an eye on the MalVuln group and their efforts to see what other vulnerabilities they find in other malware and to see how this affects the malware groups. Typically, the threat actors are ahead of the game with blue teams reacting to them, if research like this can get them reacting it can open them up to new responses to their efforts and that is a good thing.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.