DLL Hijacking: How FormBook Malware Uses Safe DLL Search Mode to Persist on Endpoints

In the ongoing battle against cyber threats, attackers are constantly finding new ways to exploit vulnerabilities. Recently, Veriti’s research team detected a new FormBook malware campaign that leverages Safe DLL Search Mode to maintain persistence on infected endpoints. By exploiting this feature, attackers are able to evade detection and keep their malicious software running on compromised systems.

What is FormBook Malware?

FormBook is an infostealer malware first discovered in 2016. It is designed to steal various types of data from infected systems, including credentials cached in web browsers, screenshots, and keystrokes. FormBook also functions as a malware downloader, enabling it to download and execute additional malicious files on infected systems.

FormBook operates under a Malware as a Service (MaaS) model, where cybercriminals can purchase access to the malware for a relatively low cost. This accessibility makes FormBook a popular choice among attackers.

Veriti’s research discovered a recent phishing campaign where a malicious file, disguised as a legitimate attachment, was used to infect systems with FormBook.

Malicious file was attached to a phishing email. Link to VirusTotal here

Understanding DLL Hijacking and Safe DLL Search Mode

To understand how FormBook and similar malware persist on systems, it’s important to grasp the concept of DLL hijacking and Safe DLL Search Mode.

DLL (Dynamic Link Library) hijacking is a technique that takes advantage of how Windows searches for and loads DLLs. By default, Windows follows a specific search order when loading a DLL required by an application. Safe DLL Search Mode is a security feature designed to prevent malware from exploiting this order by prioritizing system directories when searching for DLLs.

However, if Safe DLL Search Mode is disabled, malware can manipulate the DLL search order, causing Windows to load a malicious DLL instead of a legitimate one. Here’s the typical DLL search order when Safe DLL Search Mode is enabled:

1. The directory from which the application is loaded.
2. The system directory (e.g., C:\Windows\System32).
3. The Windows directory.
4. The current working directory.
5. Directories listed in the PATH environment variable.

If Safe DLL Search Mode is disabled, the current working directory is searched before the system directory, increasing the risk of DLL hijacking attacks. VirusTotal link here.

The Risks of Safe DLL Search Mode Exploits

When Safe DLL Search Mode is disabled or misconfigured, attackers can exploit this vulnerability by placing malicious DLLs in locations that are searched first. If an application doesn’t specify the full path to the required DLL, Windows will load the malicious one, allowing attackers to execute their payload.

In this case, Veriti’s research identified that FormBook was using Safe DLL Search Mode exploits to maintain persistence on infected endpoints. This makes it difficult for security teams to detect and remove the malware, as it continues to run under the guise of a legitimate process.

GTA 5 Theme malicious campaign (PureCrypter Malware). Link to VirusTotal here.

Supporting the prevalence of these attacks is the staggering fact that in 25% of organizations, one or more hosts are misconfigured. These misconfigurations create significant security gaps, allowing attackers to exploit vulnerabilities such as DLL search order hijacking.

Notable Malware Using DLL Search Order Hijacking

FormBook isn’t the only malware exploiting this technique. DLL search order hijacking is a widely used tactic by many sophisticated malware families. Some notable examples include:

1. PlugX: A remote access trojan (RAT) used by APT groups for data exfiltration and maintaining access to compromised systems.
2. Carbanak/Anunak: A banking trojan used to steal millions from financial institutions, known for exploiting Windows vulnerabilities to evade detection.
3. Emotet: Once a banking trojan, now a modular platform used to distribute ransomware and steal sensitive information.
4. QakBot (QBot): A banking trojan that has evolved into a sophisticated malware loader.
5. APT41 (Winnti): A cyber-espionage group known for using malware to maintain long-term access to targeted systems.
6. ZLoader: A banking trojan used for financial theft and as a delivery mechanism for other malware.
7. Duqu: A highly sophisticated espionage malware that shares similarities with Stuxnet.
8. Turla: A Russian APT group known for targeting government institutions across Europe and the U.S.
9. ShadowPad: A modular backdoor trojan used in espionage campaigns.
10. SamSam Ransomware: A ransomware family that has primarily targeted healthcare and government organizations.
11. APT10 (Stone Panda): A Chinese cyber-espionage group targeting managed service providers (MSPs).
12. APT28 (Fancy Bear): A Russian military intelligence-linked group responsible for high-profile government and defense-related attacks.

These malware families all leverage DLL hijacking to evade detection and maintain persistence, making it critical to ensure Safe DLL Search Mode is enabled on all Windows systems.

“WINAMP as an Adware. Link to VirusTotal here.

Veriti’s platform is equipped to identify misconfigurations in the operating system (OS) without the need for an agent, and it detects control gaps at the endpoint detection and response (EDR) levels that enable DLL hijacking. Once identified, Veriti’s solution can safely remediate these misconfigurations by changing the OS configuration and ensuring that the correct EDR configurations are applied to disarm the attack vector.

By providing continuous monitoring and safe remediation, Veriti helps organizations stay ahead of these threats:

• Automated Root-Cause Analysis: When Veriti identifies an attempted DLL hijacking, it automatically alerts the security team and provides detailed information on the threat.
• OS-Level Remediation: Veriti identifies and reconfigures systems where Safe DLL Search Mode is disabled, ensuring that the system prioritizes legitimate directories when loading DLLs.
• EDR-Level Remediation: Veriti works alongside your existing EDR solution to provide an additional layer of defense, identifying and remediating DLL hijacking attempts in real time.

DLL search order hijacking is a widespread tactic used by malware to evade detection and persist on systems. By exploiting vulnerabilities in Windows’ DLL search order, attackers can load malicious DLLs in place of legitimate ones. This makes it crucial to ensure that Safe DLL Search Mode is enabled and properly configured across all systems.

Veriti’s platform is designed to identify these misconfigurations and mobilize the remediation, helping organizations protect their endpoints from malware like FormBook.