DLL sideloading is an attack on Windows devices in which threat actors distribute a malicious DLL together with a legitimate application that executes it. Some legitimate programs do not check the libraries that get loaded into their address space. This allows attackers to substitute a standard library with a malicious one with the same name, which a legitimate application then downloads.
A DLL sideloading attack unfolds as follows: threat actors save the legitimate application and malicious DLL on the victim’s device, then run the application. When it needs the library in question, the application finds the malicious DLL with the same name and loads it.
DLL sideloading is related to DLL hijacking, where malicious code is also contained in a library loaded by a legitimate application. The main difference between the two techniques is that in DLL hijacking the attackers do not distribute a legitimate application along with malicious code, but substitute one of the libraries of a program already installed in the victim’s system.
DLL sideloading in the attack chain
DLL sideloading aims to make malicious activity hard to detect. Often, signed legitimate programs (including software from security vendors) with valid certificates are used to load the malicious library, and to hinder detection of the DLL itself the library can be downloaded in encrypted, compressed or obfuscated form.
Attackers can deliver the application and library “package” to the victim in various ways; for example, by means of self-extracting archives or macros in infected Office files. The malicious library, in turn, can constitute the final payload or an intermediate stage of the attack.
Examples of DLL sideloading attacks
- The APT10 group employed DLL sideloading to deliver the LODEINFO backdoor to the target device for cyber-espionage purposes.
- The REvil group used the system file MsMpEng.exe in Windows Defender to download a malicious DLL containing cryptomalware.
- The Babuk group abused the NTSD.exe debugger for DLL sideloading. As in the previous case, the attackers used it to download ransomware onto the target device.
- The GhostEmperor APT group placed the malicious DLL msedgeupdate.dll in the same directory as the legitimate component meupdate.exe, which handles Edge updates.
- An Asia-based APT group used DLL sideloading to load a backdoor. In the attack, the legitimate application OLEVIEW.exe loaded the malicious library iviewers.dll into the address space.
- The ToddyCat APT group used DLL sideloading to launch a RAT: the legitimate application vlc.exe loaded the payload into the address space, which the threat actors saved as libvlc.dll.