ClickCease Alert: New DLL Variant Used For Malicious Code Execution

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Alert: New DLL Variant Used For Malicious Code Execution

Wajahat Raja

January 15, 2024 - TuxCare expert team

Recent research findings have brought to light a new DLL variant pertaining to search order hijacking techniques. As per recent reports, this dynamic link library variant could potentially be used by threat actors for malicious code execution. Cybercriminals are able to exploit these DLL file vulnerabilities to bypass security mechanisms. Based on the research findings, systems operating on Microsoft Windows 10 and 11 are believed to be at risk.

In this article, we’ll dive into how this new DLL variant flaw could be exploited and DLL variant detection and attack prevention protocols.


New DLL Variant Potential Exploits 

Researchers at the cybersecurity firm Security Joes have identified a
new DLL variant related to search order hijacking. Those keen on ensuring protection against DLL-based attacks must fully comprehend what search order hijacking is prior to deploying any prevention mechanism.

The technique allows threat actors to persist within a system, allowing them to elevate their privileges while evading detection at the same time. Threat actors deploying these techniques rely on system applications that don’t specify the complete path of the required DLLs as they have predefined a search order.

Media reports have cited cybersecurity researchers at Security Joes stating that the new DLL variant technique “leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL search order hijacking technique.” Using such an approach eliminates the need for elevating privileges used to carry out malicious intentions.

When trusted apps execute malicious DLLs, it allows threat actors to gain unauthorized access. Such access can then be used to carry out malicious code executions. Hackers can hide their actions and increase the attack surface because trusted applications execute the DLLs that the threat actor has deployed.

Cybersecurity Threat Analysis For The New DLL Variant

Experts and researchers have conducted a
cybersecurity threat analysis that serves as a proof of concept for potential exploits resulting from the New DLL variant flaw. To conduct the experiment, researchers created a desktop folder titled “NOT_A_FOLDER_MS.” After creating the folder, the team used the Process Monitor to identify the vulnerabilities.

As a part of the analysis, filters were set to specific outcomes like “PATH NOT FOUND” and “NAME NOT FOUND.” To further analyze cyber threats and DLL variants, a custom DLL was injected using this high-jacking technique. An executable designed to launch and monitor WinSxS folder binaries was also placed alongside the custom DLL.

Afterward, the researchers launched their custom tool, which identified different binaries like “ngentask.exe” and “aspnet_wp.exe” in the WinSxS folder. It’s worth mentioning here that in the proof of concept experiment, the binaries mentioned above searched for their respective DLLs in the custom “NOT_A_SYSTEM_FOLDER_MS” directory the researchers had initially created.

As a result of the proof-of-concept, the team was able to inject a custom DLL into “ngentask.exe.” Thoroughly understanding this proof-of-concept experiment is essential for organizations as they develop a cybersecurity strategy to ensure protection against dynamic link library risks.

Protection Protocols Against The New DLL Variant Threats

As far as developing a protection protocol is concerned, it’s worth mentioning that the attack sequence primarily relies on the Windows WinSxS folder. Understanding why and how threat actors can use the folder is essential to ensuring the efficacy of preventative measures. WinSxS is a critical component of the Windows operating system. It’s primarily used to store multiple versions of important system files and DLLs.

The new DLL variant high-jacking technique leverages the developed authorization and trust of the WinSxS folder. Doing so allows threat actors to initiate their malicious code execution protocols without being detected. Given the severity of attacks that could result from the new DLL variant exploitation, implementing robust cybersecurity measures is essential. To ensure protection against such attacks, organizations should focus on parent process analysis.

Such a prevention measure entails that security teams must identify unusual processes related to binaries within the WinSxS folder. Once identified, it’s essential for them to monitor their activities and network communications. When doing so, it’s important to remember that any abnormalities pertaining to their behavior may be an indicator of threats arising from the new DLL variant.


Cybersecurity researchers have identified a
new DLL variant related to search order hijacking, which, if exploited, can be used to gain unauthorized access and execute malicious code. 

Since the technique leverages established trust, identifying malicious activities can be challenging. Given the exploitable nature of the variant and the potential damage it can cause, organizations must implement proactive cybersecurity measures to safeguard their systems.

The sources for this piece include articles in The Hacker News and GRIDINSOFT.

Alert: New DLL Variant Used For Malicious Code Execution
Article Name
Alert: New DLL Variant Used For Malicious Code Execution
Learn all about the new DLL variant flaw that could be used for malicious code execution. Gain insights and secure your systems today!
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter