Why Attackers Particularly Use DLLs?

2 minute read

Many threat actors distributing DLL droppers instead of direct malicious executable these days. They implement their encrypted malicious code data to a DLL dropper, and wait for user interaction to run the DLL dropper. This technique is very common these days and we can clearly see that DLL dropper being used in many malicious activity. So why do malware authors use this technique?

The following list outlines some of the reasons why threat actors use this technique instead of distributing DLLs:

  • A DLL is not executable not like .exe or .bat file by user by double-clicking, so whenever DLL injected a legitimate host process, it will run malicious DLL file instead of user. So that threat actors prefer injecting malicious DLL to a legitimate host process such as “svchost.exe”, “winlogon.exe”, “explorer.exe” with capability of hiding sub-process runnimng by malicios DLL. This technique gives attacker the cabability to hide a malware’s actions, and all the malicious activity performed by the malware will appear to originate from the host process. For further information about “DLL injection” you can read this article.
  • Injecting a DLL into an already running with privilages provides the attacker to gain more capability to persist on system and creating a larger attack surface. The user will not suspect the usage of process of legitimate system process, whenever looks the startup programs, he/she see a legitimate process runs itself on startup of system.
  • When DLL is loaded by a process into its memory space, the malicious DLL will have access to the entire process memory space, thereby giving it the ability to manipulate the process’s functionality. For example a DLL can be injected in a browser process and runs at background with the whole memory space of the browser. Malicious code can steal credentials, crypto wallet recovery keys, track all activity or change your browsing experience like injecting ads on visited websites. Malicious code with the memory space of browser process can access what your browser process can access.
  • Analyzing a DLL file is not straightforward and can be tricky compared to analyzing and executable.

Most malware samples drop or download a malicious DLL, and load the DLL into memory space of another process. After loading the DLL into a process, the dropper/loader component deletes itself. So that when a dropper/loader executed by user cleans back to avoid tracking, covers itself under a legitimate process and got a chance to persist on target system. As a result a threat actors use this technique a lot to cover their malicious activity under a host process looks really usual/normal.

There is a written article about “Bumblebee DLL Dropper” you may read, analyzed staticly and observed the malware’s activity step by step then with dynamic analysis. Link