DLL Hijacking Attacks Now Target Apple APSDaemon Vulnerability To Spread CoinMiner

Several hackers have been targeting the internal Dynamic Link Libraries (DLL) of different applications as an intrusion vector for a long time. In a recent case, adversaries were seen attempting to infect the target victims with persistent miner and spyware malware via DLL hijacking.

Exploiting the APSDaemon vulnerability

The adversary was abusing the flaws in legitimate vendor applications including CrystalBit and Apple in a DLL double hijack attack chain.
  • In June 2020, some hackers were seen exploiting APSDaemon, a DLL hijacking vulnerability in Apple’s Push Notification service Windows executable, as well as AnyToIso and CrystalBit to infect the victims with cryptomining malware.
  • This new malware campaign starts with warez or file-sharing sites offering cracks for copyrighted software, that redirect users to a page that downloads a zip file disguised as a setup file, key generator, or crack for a particular software. This executable archive ZIP file eventually loads a malicious DLL file.
  • Apple’s Push Notification service executable (APSDaemon.exe), when launched, does not check if the legitimate AppleVersions.dll is being loaded, which allows hackers to replace this DLL with a malicious version.

Recent DLL Hijacking 

Several other attackers have been using the DLL hijacking attack vector in their recent attacks.
  • In May 2020, the Doubleguns Group was observed distributing configuration files and malware, by using DLL hijacking as one of the attack vectors. The attacker replaced the genuine photobase.dll file with a malicious version, thus targeting multiple underground game client software.
  • Also in the same month, the Naikon APT group had targeted several government entities in the Asia Pacific (APAC) region by using a new backdoor named Aria-body, by taking advantage of legitimate executables such as Outlook and Avast proxy, to load a malicious DLL.

Securing against DLL Hijacking

When developing their applications, developers should use an absolute path instead of a relative path wherever possible. Using a hardware firewall or a router firewall can help avoid such intrusion attempts.