Cymulate, the only end-to-end SaaS-based Breach and Attack Simulation (BAS) platform announced it has discovered a method for attackers to run malicious code via Microsoft’s Remote Desktop Protocol (RDP) using a technique called DLL Side-Loading. The executed code would bypass security controls.
To run RDP, the MSTSC is used in Windows, allowing users to take control of a remote computer or virtual machine over a network connection. MSTSC relies on a DLL file (mstscax.dll) as one of its resources. However, Cymulate has identified that Microsoft Terminal Services Client (MSTSC) performs delay-loading of mstscax.dll with a behavior that can result in hackers bypassing security controls.
The executable explicitly loads “mstscax.dll” with no integrity checks to validate the library’s code, An adversary can use this blind spot and replace mstscax.dll on the C:\Windows\System32 folder for which admin privileges are required or, by copying it to an external folder which does not require admin privileges as the mstsc.exe does not explicitly load the DLL from system32 folder. This behavior leads to the ability of an adversary to execute malicious code in the context of digitally signed Mstsc.exe and therefore bypass security controls such as AppLocker. This technique has been labeled DLL Side-Loading in the MITRE ATT&CK Framework.
Cymulate has notified Microsoft about the vulnerability who has declined to patch it as they state System32 requires admin privileges and is therefore not a perceived threat.
Initially documented in May 2017, DLL side-loading has been exploited by several cybercriminal groups including APT41 to deploy their malware, APT3 via Chrome, APT 32 who ran legitimately-signed executables from Symantec and McAfee, gh0st RAT and HTTPBrowser.
“Enterprises need to be immediately made aware of this threat in order to mitigate attacks as it will bypass security controls,” said Cymulate’s CTO Avihai Ben-Yossef. “We have added this technique to our platform to ensure our customers optimize their security configurations ahead of attacker exploits. I would like to thank our research team for discovering this, especially Yoni Oren.”