Search This Blog

Showing posts with label DLL load hijacking. Show all posts

Apple's APSDaemon Vulnerability Abused by Malware Distributors

Attackers can maliciously redirect users on websites sharing counterfeit products, adult content or videos and dupe them into installing malware before they even land on the intended website, it's one of the most popular ways of generating revenue amongst hackers who acquire access to websites by exploiting the vulnerabilities in an installed plugin – it could be a security flaw or outdated software.

Typically, 'malicious redirects' are operated by hackers with the intent of generating advertising impressions, however other consequences of 'malvertising' can be relatively dangerous causing significant damage to unprotected machines. The campaign revolves around the idea of pushing malware and spam-laden advertisements onto the browsers. In 2019, attackers were seen launching such campaigns against popular web browsers namely Google Chrome, Microsoft Edge, Opera, and Safari.

Recently, malware distributors have launched a new malware campaign that makes use of this 'web pages redirect' to exploit a DLL hijacking flaw in Apple's Push Notification service executable Windows to get a cryptocurrency miner installed on the targeted user's system.

What is DLL hijacking?

DLL (Dynamic Link Libraries) are extensions of various applications running on any operating system as most of the applications require storing code in different files, when a user uses an application, it may or not use certain codes – those codes are stored in a different file and are loaded into RAM only when there's a requirement, this reduces the file size while optimizing the usage of RAM and preventing the application from becoming too big to function smoothly.

As these DLLs are essential for running almost all applications on our systems, they are found in different files and folders on users' computers. Now, if an attacker succeeds in replacing the original DLL file with a counterfeit one carrying malicious code, it is termed as DLL Hijacking.

A program that became the latest victim of the aforementioned flaw is Apple's Push Notification service executable (APSDaemon.exe) that had been vulnerable to DLL hijacking. Since, it is responsible for loading AppleVersions.dll upon execution, if it fails to check whether the authentic AppleVersions.dll is being loaded, it could allow cybercriminals to replace the DLL file with a fake one containing malware.

Running in an authentic executable by Apple had allowed the malware to function with less to no risk of being detected by antivirus software, moreover, the threat actors have also employed a hashing algorithm to make the detection even difficult.

Trojan modifies Critical DLL file(comres.dll) to Avoid Antivirus Detection

Bitdefender researchers spotted a new Dropper Trojan which utilize an interesting technique to avoid being easily detected by Anti-virus application.

Usually, Malwares add themselves to the Startup list by adding their path to the Startup Registry key, but this makes them easy to detect by antivirus solutions or computer-savvy users.

A New Trojan namely "Trojan.Dropper.UAJ " use a new technique to overcome detection, it compromise a library file(comres.dll) forcing all applications that rely on comres.dll to execute the Trojan as well.Comres.dll is widely used by most internet browsers, in some communication applications or networking tools.

The Trojan makes a copy of the genuine comres.dll file, patches it and then saves it in the Windows directory folder.

"The dropper patches the code library by adding a single new malicious function to the imported list to be launched with the rest of its functions.Next, the Trojan drops the file “prfn0305.dat” (identified by Bitdefender as Backdoor.Zxshell.B) that exports (contains) the function that compromises the system. And everything is now in place. The moment the system calls the code library, the malware is turned on." researcher said.