1. Home
  2. Techniques
  3. Enterprise
  4. 共享模块

共享模块

ID Name
T1129.001 内存驻留无文件加载
T1129.002 合法系统模块劫持

共享模块技术指攻击者通过操作系统提供的动态链接机制加载恶意代码模块,利用系统原生功能实现攻击载荷执行。该技术通过LoadLibrarydlopen等标准API加载本地或远程模块,可规避部分进程行为监控。防御方通常采取限制模块加载路径、监控非常用模块加载行为,以及分析模块数字签名异常等缓解措施,重点检测非系统目录加载、非常规协议加载等异常行为。

为突破传统防御对非常用模块加载路径的检测,攻击者发展出多维度的模块加载匿迹技术,通过内存化执行、系统模块寄生等手法,将恶意模块加载行为深度融入操作系统正常功能调用链,形成"零痕迹加载、全合法上下文"的新型攻击范式。

当前共享模块匿迹技术的核心演进路径聚焦于加载载体的合法化重构与执行环境的深度隐匿。内存驻留技术通过消除磁盘实体文件,突破传统文件监控体系的防御边界;系统模块劫持利用操作系统加载机制的信任链缺陷,实现恶意代码在合法执行上下文中的隐蔽运行。两种技术的共性在于突破传统模块加载的时空约束,通过载体虚拟化、功能寄生化的手段,将恶意模块的存储和执行过程全面融入系统正常行为框架。其中,内存驻留技术实现模块存储介质的虚拟化,系统劫持技术完成功能逻辑的合法化寄生,共同构建出难以通过单维度检测识别的复合匿迹体系。

匿迹技术的演进导致传统基于文件扫描、路径监控的防御体系面临系统性失效,防御方需构建内存行为深度分析、模块依赖链完整性校验,以及网络协议元数据关联分析等新型检测能力,同时强化系统模块加载策略的强制访问控制,方能有效应对新型隐蔽模块加载威胁。

ID: T1129
Sub-techniques:  T1129.001, T1129.002
Tactic: 攻击执行
Platforms: Linux, Windows, macOS
Contributors: Stefan Kanthak
Version: 2.2
Created: 31 May 2017
Last Modified: 12 October 2023

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过仿冒合法模块特征实现深度伪装。在系统模块劫持场景中,恶意模块保持与原始模块相同的导出函数表、资源结构和数字签名,使得静态特征分析难以识别异常;在网络协议加载场景中,模块传输流量严格遵循标准协议格式,伪装成合法业务数据交互。

行为透明

加载共享模块通常是操作系统的正常行为,恶意加载模块在系统中的执行本身不易被察觉。同时内存驻留技术将模块加载行为完全融入目标进程的正常内存操作流程,利用系统合法的内存分配和链接机制实现透明化执行。模块加载过程不产生独立的进程或服务,其内存操作特征与应用程序常规行为高度一致。

Procedure Examples

ID Name Description
S0373 Astaroth

Astaroth uses the LoadLibraryExW() function to load additional modules. [1]
S0438 Attor

Attor's dispatcher can execute additional plugins by loading the respective DLLs.[2]
S0520 BLINDINGCAN

BLINDINGCAN has loaded and executed DLLs in memory during runtime on a victim machine.[3]
S0415 BOOSTWRITE

BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules.[4]
S1039 Bumblebee

Bumblebee can use LoadLibrary to attempt to execute GdiPlus.dll.[5]
S0673 DarkWatchman

DarkWatchman can load DLLs.[6]
S0567 Dtrack

Dtrack contains a function that calls LoadLibrary and GetProcAddress.[7]
S0377 Ebury

Ebury is executed through hooking the keyutils.so file used by legitimate versions of OpenSSH and libcurl.[8]
S0661 FoggyWeb

FoggyWeb's loader can call the load() function to load the FoggyWeb dll into an Application Domain on a compromised AD FS server.[9]
S0032 gh0st RAT

gh0st RAT can load DLLs into memory.[10]
S0203 Hydraq

Hydraq creates a backdoor through which remote attackers can load and call DLL functions.[11][12]
S0607 KillDisk

KillDisk loads and executes functions from a DLL.[13]
S0455 Metamorfo

Metamorfo had used AutoIt to load and execute the DLL payload.[14]

S0352 OSX_OCEANLOTUS.D

For network communications, OSX_OCEANLOTUS.D loads a dynamic library (.dylib file) using dlopen() and obtains a function pointer to execute within that shared library using dlsym().[15]
S0501 PipeMon

PipeMon has used call to LoadLibrary to load its installer. PipeMon loads its modules using reflective loading or custom shellcode.[16]
S0196 PUNCHBUGGY

PUNCHBUGGY can load a DLL using the LoadLibrary API.[17]
S1078 RotaJakiro

RotaJakiro uses dynamically linked shared libraries (.so files) to execute additional functionality using dlopen() and dlsym().[18]
S0603 Stuxnet

Stuxnet calls LoadLibrary then executes exports from a DLL.[19]
S0467 TajMahal

TajMahal has the ability to inject the LoadLibrary call template DLL into running processes.[20]
S1154 VersaMem

VersaMem relied on the Java Instrumentation API and Javassist to dynamically modify Java code existing in memory.[21]

Mitigations

ID Mitigation Description
M1038 Execution Prevention

Identify and block potentially malicious software executed through this technique by using application control tools capable of preventing unknown modules from being loaded.

Detection

ID Data Source Data Component Detects
DS0011 Module Module Load

Monitor shared module loading, focusing on .dll, .so, and .dylib files, and look for suspicious paths or abnormal module loads that deviate from system norms.

Limiting module loads to trusted directories, such as %SystemRoot% and %ProgramFiles% on Windows, may protect against module loads from unsafe paths.
DS0009 Process OS API Execution

Monitor API calls such as LoadLibrary (Windows) or dlopen (Linux/macOS) that load shared modules.

References

  1. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  2. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  3. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  4. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  5. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
  6. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  7. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  8. Marc-Etienne M.Léveillé. (2024, May 1). Ebury is alive but unseen. Retrieved May 21, 2024.
  9. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  10. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  11. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  1. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  2. Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.
  3. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  4. Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
  5. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  6. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  7. Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.
  8. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  9. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  10. Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024.