New Variant of DLL Search Order Hijacking Bypasses Windows 10 and 11 Protections



Security researchers have outlined a novel iteration of a dynamic link library (DLL) search order hijacking technique, posing a potential threat to systems running Microsoft Windows 10 and Windows 11. This method, disclosed in an exclusive report shared with The Hacker News by cybersecurity firm Security Joes, capitalizes on executables commonly located in the trusted WinSxS folder. By exploiting the classic DLL search order hijacking technique, adversaries can bypass security mechanisms, enabling the execution of malicious code.

The strategy involves leveraging trusted executables within the WinSxS folder, eliminating the necessity for elevated privileges to run malicious code on a compromised system. Additionally, this approach introduces the possibility of incorporating vulnerable binaries into the attack chain, a pattern observed in previous incidents.

DLL search order hijacking revolves around manipulating the order in which DLLs are loaded, facilitating the execution of malicious payloads for purposes such as defense evasion, persistence, and privilege escalation. In this context, attackers target applications that do not specify the full path to the required libraries. Instead, they rely on a predetermined search order to locate the necessary DLLs on the disk.

Exploiting this behavior, threat actors relocate legitimate system binaries into unconventional directories. These directories include malicious DLLs bearing names similar to legitimate ones. Consequently, during the DLL loading process, the library containing the attack code is selected in lieu of the authentic one.

Other news

Carbanak Banking Malware Resurfaces with New Ransomware Tactics – 26.12.2023

The banking malware known as Carbanak has been observed being used in ransomware attacks with updated tactics.

Read More

Apple’s Recent Zero-Click Shortcuts Vulnerability

New information has surfaced regarding a recently patched high-severity security vulnerability in Apple’s Shortcuts app, which had the potential to allow a shortcut to access sensitive information on a device without user consent.

Read More