The Evolution of Cyber Attack Techniques: From DLL Side-Loading to Encrypted Task Scheduling

In the dynamic landscape of cybersecurity, attackers are continually refining their strategies to outmaneuver defenses. A stark example of this progression is the shift from the use of pythonw.exe for DLL side-loading to the sophisticated implementation of encrypted scheduled tasks. This blog post delves into the technical details of this evolution, providing a clearer understanding of the threats and the mechanisms behind them.

Understanding DLL Side-Loading

DLL side-loading is a technique where attackers exploit the way Windows searches for dynamic link libraries (DLLs) to load their malicious code. For instance, when an application like pythonw.exe—a legitimate Python executable that runs scripts silently without a command window—starts, it looks for specific DLLs to use. If an attacker places a malicious DLL with the correct name in the expected directory, pythonw.exe will load and execute the malicious code, often without triggering security alerts.

Example of DLL Side-Loading:

1. pythonw.exe starts and searches for a DLL named example.dll.
2. An attacker has placed a malicious example.dll in the search path.
3. pythonw.exe loads the malicious example.dll, thinking it is legitimate.
4. The attacker’s code is now running on the target machine.

The Shift to Encrypted Scheduled Tasks

The latest cyber attack campaigns have moved beyond this method. Instead of directly targeting pythonw.exe, they create scheduled tasks with encrypted commands. These tasks are named to appear benign, such as OneDrive Security Task-S-1-5-21-[...]-2003, which mimics a legitimate task name to avoid raising suspicion.

The Deception of Renamed Executables

In this new strategy, a file named update.exe (which is actually the msiexec.exe Windows Installer renamed) is used. This renaming serves to disguise the true nature of the executable. When the task runs, it initiates processes under spoolsv.exe (the Print Spooler service) and dllhost.exe (the COM Surrogate), both of which are legitimate Windows processes that are less likely to be scrutinized by users and security software.

Example of Encrypted Task Execution:

1. A scheduled task named OneDrive Security Task triggers update.exe.
2. update.exe, which is really msiexec.exe, starts and appears to be a legitimate update process.
3. The task executes encrypted commands that spawn spoolsv.exe and dllhost.exe processes in specific user directories, hiding the malicious activity within normal system behavior.

The Technique of Transacted Hollowing

The campaign employs a complex technique known as transacted hollowing. This method combines elements of Process Hollowing and Process Doppelgänging. It uses Windows Native API functions to create a transactional space where file operations are prepared but not finalized. This allows the attacker to execute their code in a suspended state, avoiding immediate detection.

Transacted hollowing is an advanced and stealthy technique used by cyber attackers to inject malicious code into legitimate processes on Windows systems. This method is a sophisticated blend of two well-known tactics: Process Hollowing and Process Doppelgänging. It leverages the Windows Transactional NTFS (TxF) to execute malicious code in the guise of a legitimate process, making detection significantly more challenging for traditional security measures.

Understanding Transacted Hollowing

Transacted hollowing takes advantage of the transactional capabilities of NTFS, which were originally designed to ensure data integrity. By using these features, attackers can create a state where file operations are initiated within a transaction, which can be committed or rolled back, leaving no trace if required.

Technical Breakdown:

1. Transaction Creation: The attack begins with the creation of a new transaction using the NtCreateTransaction API. This transaction acts as an isolated environment where file operations can be safely conducted without affecting the actual file system.
2. Process Creation: Next, the CreateProcessInternalW API is called to create a new process in a suspended state. This process is typically a legitimate Windows process like spoolsv.exe or dllhost.exe.
3. Memory Unmapping: Once the process is created, its memory is unmapped from the address space using functions like NtUnmapViewOfSection. This effectively hollows out the process, leaving a space for the malicious code.
4. Malicious Code Injection: The attacker then writes the malicious code into the address space of the hollowed process. This can be done using WriteProcessMemory or similar APIs.
5. Transaction Completion: Finally, the transaction can be committed using NtCommitTransaction, which finalizes the changes, or it can be rolled back to erase evidence if the attack is detected.

Simulated Example of Transacted Hollowing

Let’s walk through a simulated example to illustrate how transacted hollowing might be executed:

1. Setting the Stage: An attacker has gained a foothold on a target Windows machine and wishes to execute a payload without being detected by antivirus software.
2. Initiating the Transaction: The attacker uses NtCreateTransaction to start a new transaction. This transaction is associated with file operations that are yet to be determined.
3. Creating a Legitimate Process: With CreateProcessInternalW, the attacker creates a new instance of notepad.exe in a suspended state. This process will serve as the host for the malicious payload.
4. Hollowing the Process: The memory of the suspended notepad.exe is unmapped using NtUnmapViewOfSection. The process is now an empty shell.
5. Injecting the Malicious Code: The attacker writes the malicious code into the hollowed space of notepad.exe using WriteProcessMemory.
6. Completing the Attack: The attacker commits the transaction with NtCommitTransaction, which makes the changes permanent. The notepad.exe process now runs the malicious code instead of its original content.
7. Execution and Cleanup: The process is resumed with ResumeThread, and the malicious code is executed. If necessary, the attacker can roll back the transaction using NtRollbackTransaction to undo the changes, helping to avoid detection.

Detection and Mitigation

Detecting transacted hollowing requires monitoring for suspicious use of the Windows Transactional APIs and unusual process behavior. Security solutions must be capable of inspecting the integrity of process memory and identifying anomalies.

Mitigation strategies include:

• Behavioral Analysis: Employing security tools that perform behavioral analysis rather than relying solely on signature-based detection.
• Privilege Reduction: Ensuring that user accounts operate with the least privileges necessary, reducing the attack surface.
• Patch Management: Keeping systems up-to-date with the latest security patches to mitigate known vulnerabilities that could be exploited in the initial stages of the attack.
• Endpoint Detection and Response (EDR): Implementing EDR solutions that can provide detailed telemetry about process behavior and transactions on the file system.

Conclusion

The transition from DLL side-loading to encrypted scheduled tasks demonstrates a significant advancement in attack methodology. By leveraging complex techniques like transacted hollowing, attackers can effectively conceal their presence and maintain control over compromised systems. This evolution not only highlights the ingenuity of threat actors but also emphasizes the need for robust and adaptive security measures. As defenders, it is imperative to understand these techniques, remain vigilant, and develop proactive defenses to protect against these and future threats.