Adversaries may execute their own malicious payloads by hijacking ambiguous paths used to load libraries. Adversaries may plant trojan dynamic libraries, in a directory that will be searched by the operating system before the legitimate library specified by the victim program, so that their malicious library will be loaded into the victim program instead. MacOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths.
A common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itself. (Citation: Writing Bad Malware for OSX) (Citation: Malware Persistence on OS X)
If the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-2 | Account Management | Protects | T1574.004 | Dylib Hijacking |
| AC-3 | Access Enforcement | Protects | T1574.004 | Dylib Hijacking |
| AC-4 | Information Flow Enforcement | Protects | T1574.004 | Dylib Hijacking |
| AC-5 | Separation of Duties | Protects | T1574.004 | Dylib Hijacking |
| AC-6 | Least Privilege | Protects | T1574.004 | Dylib Hijacking |
| CA-7 | Continuous Monitoring | Protects | T1574.004 | Dylib Hijacking |
| CM-2 | Baseline Configuration | Protects | T1574.004 | Dylib Hijacking |
| CM-6 | Configuration Settings | Protects | T1574.004 | Dylib Hijacking |
| CM-8 | System Component Inventory | Protects | T1574.004 | Dylib Hijacking |
| RA-5 | Vulnerability Monitoring and Scanning | Protects | T1574.004 | Dylib Hijacking |
| SI-3 | Malicious Code Protection | Protects | T1574.004 | Dylib Hijacking |
| SI-4 | System Monitoring | Protects | T1574.004 | Dylib Hijacking |
| SI-7 | Software, Firmware, and Information Integrity | Protects | T1574.004 | Dylib Hijacking |