Fast facts:

  • DLL side-loading is a technique for executing malicious payloads inside a masqueraded DLL by leveraging a legitimate application’s execution process.

  • Groups and malware, such as Chinese APT groups and Darkgate malware, are wildly exploiting a zero-day DLL side-loading vulnerability in an Anti-KeyLogger Software KeyScrambler.exe.

  • KeyScrambler versions 3.18.0.0 and 3.17.0.4 are also vulnerable to this DLL side-loading vulnerability, with the possibility in earlier versions.

Swachchhanda Shrawan Poudel
Swachchhanda Shrawan Poudel

Security Research

Jump To Section

The threat landscape in cybersecurity is ever-evolving, with adversaries continuously devising new tactics to infiltrate networks and compromise data. One such threat that has garnered significant attention in recent years is DLL side-loading, a technique malicious actors employ to evade detection and execute malicious code within legitimate applications.

According to Hacker News, two Chinese-linked APTs were seen conducting a cyber espionage campaign against the entities and member countries affiliated with the Association of Southeast Asian Nations (ASEAN) through a zip file. The zip file contains a renamed KeyScrambler.exe, an anti-keylogger software that loads a malicious DLL file ("KeyScramblerIE.dll"), possibly conducting a DLL side-loading attack. Trellix also reported the same behavior in their blog about the darkgate malware analysis.

This study will examine KeyScrambler.exe's behaviors to see if it is vulnerable to DLL side-loading. DLL side-loading poses a significant danger because it allows attackers to exploit flaws in how dynamic-link libraries (DLLs) are loaded by legitimate applications, circumventing typical security controls.
Our investigation will include examining 'KeyScrambler.exe' for any indications of vulnerability to DLL side-loading. We will attempt to side-load a custom-made DLL into the program if such a vulnerability is found. This procedure will offer insight into the scope of the vulnerability and its possible impact on application and network security.
Finally, using the insights gathered from our investigation, we will create a hunting rule to identify suspected KeyScrambler DLL side-loading behavior proactively. Organizations that take a proactive approach to detection and mitigation can increase their defenses against DLL side-loading threats and successfully manage the related risks.

In today's changing threat landscape, recognizing and mitigating novel attack strategies such as DLL side-loading is critical for enterprises looking to maintain strong cybersecurity postures. This Emerging Threat Report seeks to give practical information and solutions to assist companies in strengthening their defenses and protecting against the increasing danger posed by DLL side-loading.