A report by Trellix said security researchers recently disclosed an active malware campaign that exploits a DLL side-loading flaw in a utility tied to the c-ares library to deliver a wide assortment of trojans and stealers to commercial and industrial organisations.
KEY FACTS
- Technique DLL side-loading using a malicious libcares-2.dll paired with a signed ahost.exe
- Payloads Includes Agent Tesla, CryptBot, Formbook, Lumma, Vidar, Remcos, Quasar, DCRat and XWorm
- Targets Employees in finance, procurement, supply chain and administration in oil and gas and import and export firms
- Lures Invoice and RFQ themed executables in Arabic, Spanish, Portuguese, Farsi and English
Attackers place a malicious libcares-2.dll in the same directory as a vulnerable ahost.exe executable so the rogue DLL is loaded instead of the legitimate library. The method exploits Windows search order loading to achieve code execution. The ahost.exe binary used in the attacks is signed by GitKraken and is commonly bundled with the GitKraken Desktop application.
Observed payloads cover a range of commodity malware families. Samples identified in the campaign include Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat and XWorm.
Campaign operators distribute the malware under misleading filenames that mimic invoices and requests for quotes. An analysis of an artefact on VirusTotal shows dozens of names such as “RFQ_NO_04958_LG2049 pdf.exe” and “Fatura da DHL.exe” which are designed to entice recipients to open the files.
The campaign also uses living off the land techniques including Windows Script Host and PowerShell and leverages legitimate, signed software to bypass signature based defences. The scale of infections and the identity of the operators were not disclosed in the report.
WHY IT MATTERS
The attack shows how threat actors can abuse trusted, signed utilities to bypass conventional security controls and deploy a broad set of commodity malware. Organisations should assume executable search order abuse is possible and investigate unexpected DLLs colocated with signed binaries.