Cybersecurity researchers have identified a concerning new attack vector where threat actors are actively exploiting a vulnerability in Google Chrome version 133.0.6943.126 through DLL side-loading techniques. This sophisticated attack allows malicious code execution through Chrome’s trusted subprocesses, creating a significant security risk for users worldwide. “DLL search order hijacking is one of the most common methods of DLL sideloading that occurs when an attacker places a malicious DLL with the same name as a legitimate DLL in a location that is searched before arriving at the legitimate DLL’s path,” explains Securonix Threat Research. While Google has released security updates addressing other high-severity vulnerabilities in Chrome 133, this specific DLL side-loading vulnerability appears to remain exploitable. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The attack uses a sophisticated technique known as DLL proxying, where the malicious DLL acts as a proxy intercepting function calls from the executable and forwarding them to a legitimate DLL. Nim is an uncommon choice for malware development but provides several advantages to attackers, including evading signature-based detections and impeding analysis by security researchers unfamiliar with the language. In this case, the Threatmon report states that attackers target Chrome’s processes by replacing the legitimate chrome_elf.dll file with a malicious counterpart. The technique takes advantage of the Windows search order, allowing malicious DLLs to be loaded instead of legitimate ones. With these attacks’ increasing sophistication, organizations must remain vigilant and proactive in their security approach to protect against this evolving threat landscape. The China-aligned advanced persistent threat (APT) group MirrorFace has updated its tactics, techniques, and procedures (TTPs) with a sophisticated approach to deploying malware. When Chrome runs, it unknowingly loads the attacker’s DLL, executing malicious code with the browser’s trusted permissions. DLL side-loading has been documented since at least 2010, but its application against widely used software like Chrome demonstrates how attackers continue to refine established techniques. A notable aspect of this attack is using Nim programming language to develop the malicious code. The exploit leverages a vulnerability in Chrome’s latest version (133.0.6943.126), which was released in February 2025.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 19 Mar 2025 12:20:22 +0000