Phantom DLL hijacking vulnerabilities in Iconics Suite

What is the hijacking of a DLL?

A program that is vulnerable to DLL hijacking is then launched using an infected file that an attacker has successfully downloaded into your machine. DLL hijacking is a cyberattack tactic where an infected file is inserted into an application’s search parameters. The malicious DLL file loads in place of any file that the user tries to load from that location. Upon program loading, this hacked file becomes operational. DLL files are commonly pre-installed on computers. DLL files are loaded automatically by many programs, which puts the system at risk of penetration and gives hackers access to the system every time the malicious code-containing file loads.

DLL files: what are they?

DLL files are only compatible with Microsoft operating systems and include the resources required for an application to run correctly. According to Microsoft, a significant amount of a Windows operating system’s functionality is provided by the dynamic link library. DLL files are typically accessed during program loading. These files help programs run smoothly and make efficient use of the hard disk. Because DLL files commonly support many applications, in a single cyberattack, including a DLL hijack, a single compromised file may cause interference and compromise for several programs.

How to test for DLL hijacking

DLLSpy, a tool for detecting DLL hijacking, employs three distinct methods: static, dynamic, and recursive. Static testing identifies all.dll or.dll path files in the process of running an application. Filtering on.exe and.dll files that show up as “NAME NOT FOUND” is a good way to identify a DLL hijacking attempt.

How does hijacking a DLL operate?

The correct operation of Windows programs requires DLL search protocols. By concealing a payload DLL within the directory of the intended program, an application can be made to load an infected file rather than an authentic one. The DLL search order of Microsoft apps can be exploited against them as this information is known to the public. For DLL hijacking to be effective, the attacker must convince the targeted application to search for the malicious file before the genuine DLL file, as it will run the first file it finds when it boots up. 

One can accomplish this in the following ways:

• They can introduce a trojan DLL file into a directory, which will be examined before the real library.
• DLL preloading causes an infected DLL with the same name as an ambiguously stated DLL to be put, which means the malicious DLL will be discovered first.
• DLL redirection can directly change the sequence in which DLLs are searched, forcing the program to run the malicious DLL instead of the legitimate one.
• Infected DLL files can propagate via phishing, social engineering, and supply chain assaults, among other techniques. Placing the file higher in the privilege order will provide the threat actor more access to the system.

Windows applications that do not specify the entire path of the relevant DLL files will fall back to using certain DLL search protocols. The program will start by looking through the loaded directory. DLL hijacking permits an infected DLL file to be obtained and inspected before the system directory by inserting it here. We call this DLL search order hijacking. Dangerous DLL files typically utilize a digital signature that mimics the intended program in order to evade detection and permit the transfer of infected DLL files—which can make their way through the chain of supply. 

Phantom DLL hijacking vulnerabilities in Iconics Suite

Iconics Suite is a suite of software tools and solutions that are primarily focused on automation, building management, manufacturing, and industrial applications. 

It offers a variety of functionalities, such as: 

1. SCADA (Supervisory Control and Data Acquisition): Offers real-time monitoring and control of industrial, infrastructure, and facility-based processes. 
2. HMI (Human-Machine Interface): Provides interactive interfaces for operators to monitor and manage industrial and building automation systems. 
3. Automation and Energy Management: Assists in managing and optimizing building systems, such as HVAC, lighting, and power systems, for sustainability and efficiency. 
4. Manufacturing Intelligence: provides analytics and reporting tools for improving manufacturing processes and product quality. 

A cybersecurity attack technique known as “phantom DLL hijacking” involves an attacker taking advantage of the way applications load Dynamic Link Libraries (DLLs). Phantom DLL Hijacking is reintroducing an outdated or no longer in use genuine DLL back into the system, as opposed to DLL hijacking, which replaces a legitimate DLL with a malicious one. This outdated DLL has been altered to carry out dangerous actions. This attack takes advantage of the way that programs load external DLL files. It’s a kind of DLL hijacking, although it takes a slightly different tactic. Phantom DLL hijacking involves an attacker inserting a legal DLL that is out-of-date or unused into the spot where the application normally loads DLLs. The program runs the code within, believing it is loading a legitimate and necessary DLL.

Impact:

Random Code Execution: Phantom DLL hijacking, like DLL hijacking, could cause random code to run. Several security flaws result from the application’s unintentional execution of the malicious code present in the phantom DLL.

1. Persistence and Stealth: Because phantom DLLs seem real, they can be harder to find. They can continue to function for long stretches of time, enabling ongoing unauthorized access.
2. System Integrity Compromise: By introducing defects, errors, and crashes, the phantom DLL can cause the system to become unstable, which can impact the stability of the program as well as the system.
3. Abuse of Trust Relationship: Programs have faith in the DLLs they load. Using this trust, Phantom DLL Hijacking enables attackers to carry out actions that are legitimate and may result in serious security lapses.

Vulnerability Overview:

It was possible to confirm that the following software components are vulnerable to Phantom DLL hijacking through the next DLLs:

1.  MMXFax.exe, winfax.dll

2. MelSim2ComProc.exe and Sim2ComProc.dll

3. MMXCall_in.exe, libdxxmt.dll

4. MMXCall_in.exe, libsrlmt.dll

How do prevent DLL Hijacking?

The best defense against DLL hijacking begins with program developers who are able to provide the precise location of every DLL file, preventing Windows from utilizing the DLL search path protocol by default. Keeping anti-virus software updated is also crucial. Yes, it is often the case that DLL injection attempts remain undiscovered; nonetheless, a reliable antivirus program remains the first line of security, capable of blocking the majority of DLL hijack attempts. Pay special attention to your online safety. Check and scan your environment and network for vulnerabilities on a regular basis..Only when the compromised file enters the ecosystem—typically accidentally by an employee opening malware—can a Windows DLL takeover occur. A DLL attack can be stopped in its tracks by teaching staff members how to recognize the warning signals of phishing and social engineering attempts. Here are a few recommended security procedures:

• Establish and maintain an Information Security Policy.
• Refer suspicious emails to security personnel before opening or engaging.
• Enable a multi-factor authentication for logins.
• Implement a vendor risk-management solution.