Everyday is lazarus.dayβ

Lazarus Group Uses the DLL Side-Loading Technique (2)

2024-01-23, Ahnlab


Through the “Lazarus Group Uses the DLL Side-Loading Technique” [1] blog post, AhnLab SEcurity intelligence Center(ASEC) has previously covered how the Lazarus group used the DLL side-loading attack technique using legitimate applications in the initial access stage to achieve the next stage of their attack process. This blog post will cover the added DLL variants and their verification routine for the targets.
The Lazarus group is an APT group that targets South Korean companies, institutions, think tanks, and others. On January 12, 2024, a new legitimate program for DLL side-loading (T1574.002 Hijack Execution Flow: DLL side-loading), a technique commonly used by the Lazarus group to execute malware, was discovered through AhnLab Smart Defense (ASD).
The threat actor typically uses the DLL side-loading technique in the initial access and malware execution stages. This method saves a legitimate application and a malicious DLL in the same folder path so that the malicious DLL is …