An expert shows how to stop popular ransomware samples via DLL hijacking

Pierluigi Paganini May 04, 2022

A security researcher discovered that samples of Conti, REvil, LockBit ransomware were vulnerable to DLL hijacking.

The security researcher John Page aka (hyp3rlinx) discovered that malware from multiple ransomware operations, including Conti, REvil, LockBit, AvosLocker, and Black Basta, are affected by flaws that could be exploited block file encryption.

Page shared its findings through its Malvuln project exclusively dedicated to the research of security flaws in malware codes.

The malware strains were vulnerable to DLL hijacking, the experts published a report and PoC for the attack against each of them.

hyp3rlinx conducted the DLL hijacking to load and execute a specially crafted DLL that was able to terminate the pre-encryption activities conducted by the malware strains.

The DLLs used by the experts have a specific name in order to be considered part of the logical programming flow of the malware.

“Conti looks for and executes DLLs in its current directory. Therefore, we can potentially hijack a vuln DLL execute our own code, control and terminate the malware pre-encryption. The exploit dll will check if the current directory is “C:\Windows\System32″, if not we grab our process ID and terminate. We do not need to rely on hash signature or third-party product, the malware will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as theres nothing to kill the DLL just lives on disk waiting. From defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.” reads a description for the attack published by Page on Malvuln.

Below is a video PoC published by the researcher that shows a DLL hijacking attack against a sample of the Conti ransomware. The expert did not share details about the flawed versions he tested.

From a defense defensive, the expert suggests users add the DLLs to the specific network share that contains important data.

The expert noticed that the ransomware could terminate Endpoint protection systems and or antivirus prior to executing malware, it was not instructed to delete the DLL left on the disk.

Of course, we now expect the move from ransomware operations that could solve the issue once the flaws have been publicly disclosed.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit:  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, DLL hijacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment