New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections

Security researchers have outlined a fresh variant of a dynamic link library search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and Windows 11.
The new method, disclosed in a report by cybersecurity firm Security Joes and exclusively shared with The Hacker News, exploits executables commonly present in the trusted WinSxS folder, utilizing the classic DLL search order hijacking technique.
Adversaries can avoid the need for elevated privileges when attempting to run malicious code on a compromised system, introducing potentially vulnerable binaries into the attack chain.
DLL search order hijacking involves manipulating the search order used to load DLLs, allowing the execution of malicious payloads for purposes such as defense evasion, persistence, and privilege escalation.
This technique targets applications that do not specify the full path to required libraries, relying on a predefined search order to locate DLLs on disk.
Threat actors exploit this behavior by relocating legitimate system binaries into non-standard directories that contain malicious DLLs, named after legitimate ones.
This tricks the system into loading the attack code-containing library instead of the authentic one.
WinSxS, short for Windows side-by-side, is a crucial Windows component used for OS customization and updates to ensure compatibility and integrity.
According to Ido Naor, co-founder and CEO of Security Joes, the discovery diverges from traditional cyber attack methods, providing a more subtle and stealthy exploitation technique.
The strategy involves identifying vulnerable binaries in the WinSxS folder and combining them with DLL search order hijacking methods.
This entails strategically placing a custom DLL with the same name as a legitimate DLL into an actor-controlled directory, triggering code execution when executing a vulnerable file in the WinSxS folder.
Security Joes emphasized the potential for additional binaries in the WinSxS folder susceptible to this DLL search order hijacking, urging organizations to take precautions.
They recommended examining parent-child relationships between processes, particularly focusing on trusted binaries, and closely monitoring activities performed by binaries in the WinSxS folder, including network communications and file operations.


This Cyber News was published on www.cysecurity.news. Publication date: Tue, 02 Jan 2024 17:13:05 +0000


Cyber News related to New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections

CVE-2021-41769 - A vulnerability has been identified in SIPROTEC 5 6MD85 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 6MD86 devices (CPU variant CP300) (All versions < V8.83), SIPROTEC 5 6MD89 devices (CPU variant CP300) (All versions < ...
2 years ago
Attackers Can Bypass Windows Security Using New DLL Hijacking - Threat actors using the DLL Hijacking technique for persistence have been the order of the day and have been utilized in several attacks. This attack method allows bypassing the privilege requirement for executing certain malicious codes on the ...
11 months ago Cybersecuritynews.com
New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections - Security researchers have outlined a fresh variant of a dynamic link library search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and ...
11 months ago Cysecurity.news
Side-by-Side with HelloJackHunter: Unveiling the Mysteries of WinSxS - As we know, Dynamic-link library(DLL) Side loading / DLL Hijacking is nothing new, nor is Windows Side-by-Side; however, side loading is handy from an adversarial tradecraft perspective, be it for establishing initial access, persistence, privilege ...
7 months ago Blog.zsec.uk
New DLL Search Order Hijacking Technique Targets WinSxS Folder - A new DLL search order hijacking technique allows adversaries to load and execute malicious code in applications within Windows' WinSxS folder, incident response company Security Joes reports. Typically, DLL search order hijacking abuses applications ...
11 months ago Securityweek.com
CVE-2005-2127 - Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for ...
6 years ago
30 Best Cyber Security Search Engines - In recent years, several search engines have been developed that are primarily focused on cyber security. In today's era, having all the necessary resources and search tools related to cyber security is crucial to staying protected against emerging ...
5 months ago Cybersecuritynews.com
Frustration grows over Google's AI Overviews feature, how to disable - Since Google enabled its AI-powered search feature, many people have tried and failed to disable the often incorrect AI Overviews feature in regular search results. When you're signed into Google and search for general topics like how to install one ...
7 months ago Bleepingcomputer.com
Windows 10 Extended Security Updates Promised for Small Businesses and Home Users - Already common for enterprises, for the first time, individuals will also get the option to pay for extended security updates for a Windows operating system that's out of support. Windows 10 will stop getting free updates, including security fixes, ...
1 year ago Techrepublic.com
Face Off: US Election Debate Sparks New Wave of Crypto-Doubling Scams | Netcraft - The page features Elon Musk’s Tesla logo instead of Trump’s campaign logo, demonstrating how criminals tailor their content to appeal to different audiences, i.e., politically engaged vs cryptocurrency minded. The perpetrators of these scams ...
2 months ago Netcraft.com
EFF Helps News Organizations Push Back Against Legal Bullying from Cyber Mercenary Group - For the last several months, there has emerged a campaign of bullying and censorship seeking to wipe out stories about the mercenary hacking campaigns of a less well-known company, Appin Technology, in general, and the company's cofounder, Rajat ...
10 months ago Eff.org
Cops dismantled LockBit before latest variant hit market The Register - Law enforcement's disruption of the LockBit ransomware crew comes as the criminal group was working on bringing a brand-new variant to market, research reveals. As part of the daily LockBit leaks this week, Trend Micro's report on the group, ...
10 months ago Go.theregister.com
Windows 11 24H2 now rolling out, here are the new features - Version 24H2 is now also accessible via Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Microsoft 365 admin center. Microsoft suggests that businesses start targeted rollouts to ensure ...
2 months ago Bleepingcomputer.com
CVE-2005-1990 - Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, ...
3 years ago
Why Biden's EO on AI Conflates the Role of Red-Teaming - The recent release of president Joe Biden's executive order on artificial intelligence marks a pivotal step toward establishing standards in an industry that has long operated without comprehensive regulations. What's concerning is the order's broad ...
1 year ago Securityboulevard.com
'HeadCrab' Malware Variants Commandeer Thousands of Servers - BLACK HAT EUROPE 2023 - London - The HeadCrab malware, which adds infected devices to a botnet for use in cryptomining and other attacks, has resurfaced with a shiny new variant that allows root access to Redis open source servers. Researchers from ...
1 year ago Darkreading.com
CVE-2018-6765 - Swisscom MySwisscomAssistant 2.17.1.1065 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. This vulnerability exists due to the way .dll files are loaded. It allows an ...
5 years ago
Rust-Based Botnet P2Pinfect Targets MIPS Architecture - The cross-platform botnet known as P2Pinfect has been observed taking a significant leap in sophistication. Since its emergence in July 2023, this Rust-based malware has been on the radar for its rapid expansion, according to a new advisory published ...
1 year ago Infosecurity-magazine.com
U.S. Joins U.K. to Seize LockBit Site, Disrupt Massive Ransomware Variant - The U.S. Department of Justice has partnered with the United Kingdom and international law enforcement partners in London today to announce the disruption of the LockBit ransomware group. The LockBit ransomware group is one of the most active ...
10 months ago Americansecuritytoday.com
STOP ransomware, more common than LockBit, gains stealthier variant - StopCrypt, the most common ransomware family of 2023, has a new variant leveraging more advanced evasion tactics. StopCrypt, also known as STOP/DJVU, surpassed the LockBit ransomware family in detections in 2023, according to Trend Micro's 2023 ...
9 months ago Packetstormsecurity.com
Chameleon Android Malware Can Bypass Biometric Security - A new variant of the Chameleon Android banking trojan features new bypass capabilities and has expanded its targeting area, online fraud detection firm ThreatFabric reports. Active since early 2023, the malware initially targeted mobile banking ...
1 year ago Securityweek.com
What is SEO Poisoning Attack? - Search engine optimization (SEO) poisoning is a type of cyber attack that infiltrates search results. It consists of malicious search engine results created by an attacker attempting to redirect someone to malicious or vulnerable webpages. It is a ...
1 year ago Heimdalsecurity.com
StopCrypt: Most widely distributed ransomware now evades detection - A new variant of StopCrypt ransomware was spotted in the wild, employing a multi-stage execution process that involves shellcodes to evade security tools. StopCrypt, also known as STOP Djvu, is the most widely distributed ransomware in existence that ...
9 months ago Bleepingcomputer.com
Biden Issues Executive Order on Safe, Secure AI - President Biden has issued an Executive Order to establish new standards for AI safety and security. The order follows previous actions the President has taken on responsible innovation, including work that led to 15 leading tech companies pledging ...
1 year ago Infosecurity-magazine.com
CVE-2010-3129 - Untrusted search path vulnerability in uTorrent 2.0.3 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse plugin_dll.dll, userenv.dll, shfolder.dll, dnsapi.dll, ...
7 years ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)