DLL Hijacking Attacks Now Target Apple APSDaemon Vulnerability To Spread CoinMiner

Exploiting the APSDaemon vulnerability

• In June 2020, some hackers were seen exploiting APSDaemon, a DLL hijacking vulnerability in Apple’s Push Notification service Windows executable, as well as AnyToIso and CrystalBit to infect the victims with cryptomining malware.
• This new malware campaign starts with warez or file-sharing sites offering cracks for copyrighted software, that redirect users to a page that downloads a zip file disguised as a setup file, key generator, or crack for a particular software. This executable archive ZIP file eventually loads a malicious DLL file.
• Apple’s Push Notification service executable (APSDaemon.exe), when launched, does not check if the legitimate AppleVersions.dll is being loaded, which allows hackers to replace this DLL with a malicious version.

Recent DLL Hijacking 

• In May 2020, the Doubleguns Group was observed distributing configuration files and malware, by using DLL hijacking as one of the attack vectors. The attacker replaced the genuine photobase.dll file with a malicious version, thus targeting multiple underground game client software.
• Also in the same month, the Naikon APT group had targeted several government entities in the Asia Pacific (APAC) region by using a new backdoor named Aria-body, by taking advantage of legitimate executables such as Outlook and Avast proxy, to load a malicious DLL.

Securing against DLL Hijacking