Atom Silo Uses DLL Side-Loading to Deploy Ransomware

Atom Silo Uses DLL Side-Loading to Deploy Ransomware

Security researchers have warned of a new ransomware variant leveraging a recently disclosed vulnerability for initial access and going to great lengths to evade detection.

360 Mobile Vision - North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

Atom Silo is almost identical to the LockFile ransomware spotted spreading earlier this year by exploiting PetitPotam and ProxyShell vulnerabilities in Microsoft products, according to Sophos.

However, in Atom Silo’s case, the variant exploited a vulnerability in Atlassian’s Confluence collaboration software made public just three weeks before the attack.

Interestingly, the researchers discovered that a separate threat actor had exploited the same bug to deploy a coinminer (also called a cryptocurrency miner) on the victim organization’s system.

“For many organizations, keeping up with the pace of patching can be a challenge in the best of times — and the effects of lock-down and other recent stressors affecting staff availability are only making keeping up with patches more difficult,” said Sophos researchers Sean Gallagher and Vikas Singh.

“Ransomware operators and other malware developers are becoming very adept at taking advantage of these gaps, jumping on published proof-of-concept exploits for newly-revealed vulnerabilities and weaponizing them rapidly to profit off them.”

The ransomware actors also used “well-worn techniques in new ways, and made significant efforts to evade detection prior to launching the ransomware,” they argued.

Specifically, the intrusion began with an Object-Graph Navigation Language (OGNL) injection attack, which provided a backdoor via which they dropped and executed additional files for a second covert backdoor.

These files included a legitimate, signed executable from a third-party software provider that was vulnerable to an unsigned DLL side-load attack.

Sophos warned that such techniques are becoming increasingly common and challenging to defend against.

“Abuse of legitimate but vulnerable software components through DLL side-loading and other methods has long been a technique used by attackers with a wide range of capabilities, and it has filtered down to the affiliates of ransomware operators and other cyber-criminals,” the researchers explained.

“While abuse of some of these legitimate, signed components is well-enough known to defend against, the supply of alternative vulnerable executables is likely deep. Spotting legitimate executables that exist outside of the context of the products they are supposed to be part of requires vigilance — and vulnerability disclosure by the vendors they come from.”

Once the backdoor was loaded, the attackers proceeded to lateral movement, exfiltration and encryption, disrupting Sophos endpoint protection in the process via a malicious kernel driver to evade detection.

By admin