DLL hijacking is when cyber attackers insert malicious code into an application to infect the way dynamic link libraries (DLLs) load. One of the biggest hacks in the history of the United States federal agencies that breached multiple U.S. government departments and was likely linked to the Russians involved a DLL hijacking. DLL hijacking exploits Windows platforms that can compromise the entire system through one infected file. Secure coding practices can help to prevent a DLL hijack. It is also helpful to know how to spot and test for DLL hijacking to keep threats from taking over. A strong security network and well-educated staff can help to keep cyber hackers out of your system.
What is DLL hijacking?
When attackers get an infected file onto your machine, this file is then executed when the application vulnerable to DLL hijacking is run. DLL hijacking is a cyberattack method that injects an infected file within the search parameters of an application. A user then attempts to load a file from that directory and instead loads the infected DLL file. This infected file takes action when the application is loaded. DLL files are often preloaded into a computer. Many applications with DLL files automatically load during startup, which can then compromise the entire computer, giving hackers access to it whenever the file containing the malicious code loads.
What are DLL files?
DLL files are only on Microsoft operating systems and hold the required resources for an application to run correctly. Much of the functionality of a Windows operating system is supplied by the dynamic link library, Microsoft explains. DLL files are typically opened when an application loads. These files serve to run programs and use hard drive space efficiently. DLL files often also run more than one program, which means that one cyberattack involving a DLL hijack could potentially interfere with and compromise multiple programs with only a single infected file.
How does DLL hijacking work?
Windows applications use DLL search protocols to run successfully. By placing a payload DLL within the directory of the application being targeted, the application can be tricked into loading the infected file instead of the legitimate one. The DLL search order of Microsoft applications is published and therefore known and exploitable. For DLL hijacking to be effective, the attacker needs to get the targeted application to search for the infected file ahead of the legitimate DLL file, as it will run the first file it comes across when starting up. This can be done in the following ways:
- They can plant a trojan DLL file in a directory that will be searched before the legitimate library.
- DLL preloading places an infected DLL with the same name as an ambiguously specified DLL, which will cause the malicious DLL to be searched for first.
- DLL redirection can modify the DLL search order directly to force the program to run the malicious DLL instead of the legitimate one.
- Infected DLL files can be deposited through supply chain attacks, phishing, and social engineering. The higher in the privilege order the file is placed, the more access the threat actor will have to the system.
If a full path of associated DLL files is not specified, windows applications default to specific DLL search protocols, and the directory from which the application is loaded will be the first one searched. DLL hijacking puts an infected DLL file in this location to have it searched and pulled up before the system directory. This is called DLL search order hijacking. Malicious DLL files often use a digital signature that mimics the targeted application, verifying that the file is authentic, preventing detection and permitting the transfer of infected DLL files, which can make their way through a supply chain this way.
How to identify a DLL hijacking attack
A Windows program called Process Explorer can identify a DLL hijacking attempt. This works by showing, in real time, all of the file systems that are being loaded. With the correct filters, users can identify DLL files that do not belong. Use the following steps:
- Install and load Process Explorer.
- Search for the application the suspected DLL hijacking attack is targeting.
- Press ctrl + L and apply a filter that only shows active files with a path ending in .dll by clicking Add and then clicking Apply.
- Press ctrl + L and apply a filter for directory: name not found by setting the conditions- Result: NAME NOT FOUND and then click Add and then Apply to show files that are loading outside of the system directory.
- Press ctrl + L to apply an additional filter that will only display DLL files within the application’s directory by setting the following conditions: Path is [path address] and then click Add and then click Apply.
How to prevent DLL hijacking
The optimal method for preventing DLL hijacking starts with software developers who can indicate the exact location of all DLL files to keep Windows from using the default DLL search path protocol. It is also important to keep anti-virus software up to date. Yes, DLL injection attempts often can go undetected, but a good antivirus software is still an essential line of defense that can block at least some DLL hijack attempts. Keep a close eye on your cyber security. Regularly check and scan your network and ecosystem for vulnerabilities. A Windows DLL hijack is only possible when the infected file is introduced to the ecosystem, often through an unintended introduction by an employee opening up malware. Educating the employees on warning signs for phishing attacks and social engineering can prevent a DLL attack from gaining any ground. These are some best security practices:
- Establish and maintain an Information Security Policy.
- Refer suspicious emails to security personnel before opening or engaging.
- Enable a multi-factor authentication for logins.
- Implement a vendor risk-management solution.
To implement a DLL hijack, bad actors will search for DLL vulnerabilities, which can often include missing DLLs within applications. The traditional DLL search order is as follows:
- Search the directory the application is being loaded from.
- Search the current directory.
- Search the system directory.
- Search the windows directory.
- Search the directories located in the PATH environment.
A DLL hijack then places the malicious file into one of these directories, ahead of the legitimate DLL file. Another method is to use the AppInit DLLs to create custom DLLs that can be loaded virtually anywhere in the following ways:
- Generate a malicious DLL.
- Set the LoadAppInit_DLLs setting to “TRUE”.
- Point the malicious DLL through the AppInit.
- Run the process to inject the DLL.
A trojan DLL can also be placed using DLL forwarding in which the infected DLL will act as the middle man in the process. This method looks like this:
- DLL and its functions are analyzed.
- Identify the functions to be intercepted and modified.
- Implement these functions in an infected DLL.
- Forward the remaining functions to the original DLL.
- Rename the original DLL.
- Forward imports to the renamed DLL.
- Replace the original DLL with the infected DLL.
- Rename the infected DLL to the original DLL.
Examples of known DLL hijacking threats
DLL hijacking has been around for many years and continues to be a cyber security threat for Windows operating systems. Some procedure threat examples include:
- APT41: uses search order hijacking
- FinFisher: variants use DLL search order hijacking
- Chaes: search order hijacking to load malicious DLL payloads
- Astaroth: uses search order hijacking to launch itself
- BOOSTWRITE: exploits loading of legitimate .dll file
- BackdoorDipolomacy: uses search order hijacking
- HinKit: search order hijacking a persistence mechanism
- Crutch: persists a search order hijacking through search engines
- Downdelph: escalates privileges through search order hijacking of .exe files
- InvisiMole: search order hijacking launched infected DLL during startup
- HTTPBrowser: interferes with DLL load order
- Ramsey: hijacks outdated Windows applications
- menuPass: uses DLL search order hijacking
- ThreatGroup-3390: uses DLL search order hijacking to distribute a payload
- Whitefly: search order hijacking to infect malicious DLL
- RTM: search order hijacking to interfere with TeamViewer
- Tonto team: interferes with legitimate Microsoft executable to load malicious DLL
- Melcoz: uses DLL hijacking to bypass security controls
To mitigate DLL hijacking, the following methods can be used:
- Audit: Auditing tools like PowerUp can detect and correct DLL search order hijacking attempts.
- Restrict library loading: Do not allow remote DLLs to load and enable DLL safe search mode, which forces the system to use more restrictions when searching for DLL files.
- Execution prevention: Use application control solutions to identify and block potentially malicious software that is being executed through DLL search order hijacking.
How to test for DLL hijacking
Testing for DLL hijacking uses similar methods to detection methods with programs such as Windows Process Explorer. To test for hijacked DLL files, filter on .exe and .dll files that show up as “NAME NOT FOUND.” This generally indicates a DLL hijacking attempt. Another product called DLLSpy uses three different methods for detecting DLL hijacking: static, dynamic, and recursive. Static testing locates all of the .dll or .dll path files within the process of running an application. Dynamic testing scans all the modules to determine if there is write permission within the DLL locations to check that they have not been overwritten. The recursive engine scans all the previously examined DLL processes to potentially find more DLLs that have been loaded and check their vulnerabilities.
Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect. (May 2021). The New York Times.
What Is a DLL? (September 2021). Microsoft.
Process Explorer v16.43. (August 2021). Microsoft.
AppInit DLLs and Secure Boot. (January 2021). Microsoft.
PowerUp: A Usage Guide. (June 2014). Harmj0y.
Cyberark/DLLSpy. (2021). GitHub, Inc.