IB companies Security Jones has revealed a new method of intercepting the DLL search procedure. This method can be used by attackers to bypass protective measures and install malware on Windows 10 and Windows 11 systems.
According to a report from Security JoES, the new approach involves using executable files from the trusted WinsXS folder and executing them using classic DLL search procedures. This allows cybercriminals to avoid the need for elevated privileges when attempting to execute malicious code on a compromised computer. It also enables them to introduce potentially vulnerable binary files into their attack chain.
The DLL Search Order Hijacking (DLL Search Procedure) technique involves manipulating the search procedure used to load DLLs. This technique is used to carry out malware attacks that bypass protection, maintain persistence, and escalate privileges. The attackers target applications that do not specify the full path to the required libraries. Instead, these applications rely on the predetermined search order to locate the DLL on the disk.
Attackers take advantage of this behavior by moving legitimate system binary files to non-standard directories that contain malicious DLLs with names identical to legitimate ones. As a result, when the application searches for the DLL, the malicious library is selected instead of the genuine DLL.
Security Jones warns that there may be additional binary files in the WinSXS folder that are vulnerable to this DLL search procedure manipulation. Organizations are advised to take appropriate precautions to prevent the use of this technique. They should carefully monitor all activities performed by binary files located in the WinSXS folder, including network communications and file operations.