Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API).
Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.
The Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in dlfcn.h in functions such as dlopen and dlsym. Although macOS can execute .so files, common practice uses .dylib files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017)
The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like LoadLibrary at run time.(Citation: Microsoft DLL)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1129 | Shared Modules |
Comments
The diagnostic statement highlights several mechanisms that organizations can implement to protect endpoint systems using virtualization technologies, essentially hypervisor hardening. With this technique, adversaries may use may use an existing VM leveraging a legitimate external Web service to exfiltrate data rather than their primary command and control channel. The use of hypervisor application control may detect and block this type of behavior from occurring.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| SI-10 | Information Input Validation | mitigates | T1129 | Shared Modules | |
| SI-03 | Malicious Code Protection | mitigates | T1129 | Shared Modules | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1129 | Shared Modules | |
| CM-02 | Baseline Configuration | mitigates | T1129 | Shared Modules | |
| CM-07 | Least Functionality | mitigates | T1129 | Shared Modules | |
| SI-04 | System Monitoring | mitigates | T1129 | Shared Modules |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1129 | Shared Modules |