Description
Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API).
Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.
The Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in dlfcn.h in functions such as dlopen and dlsym. Although macOS can execute .so files, common practice uses .dylib files.(Citation: Apple Dev Dynamic Libraries)(Citation: Linux Shared Libraries)(Citation: RotaJakiro 2021 netlab360 analysis)(Citation: Unit42 OceanLotus 2017)
The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like LoadLibrary at run time.(Citation: Microsoft DLL)
Platforms
Mitigations (1)
Execution PreventionM1038
Identify and block potentially malicious software executed through this technique by using application control tools capable of preventing unknown modules from being loaded.
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has leveraged `LoadLibrary` to load DLLs.(Citation: Eset PlugX Korplug Mustang Panda March 2022... |
Associated Software (21)
| ID | Name | Type | Context |
|---|---|---|---|
| S0032 | gh0st RAT | Malware | [gh0st RAT](https://attack.mitre.org/software/S0032) can load DLLs into memory.(Citation: Gh0stRAT ATT March 2019) |
| S0203 | Hydraq | Malware | [Hydraq](https://attack.mitre.org/software/S0203) creates a backdoor through which remote attackers can load and call DLL functions.(Citation: Symante... |
| S0196 | PUNCHBUGGY | Malware | [PUNCHBUGGY](https://attack.mitre.org/software/S0196) can load a DLL using the LoadLibrary API.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
| S0603 | Stuxnet | Malware | [Stuxnet](https://attack.mitre.org/software/S0603) calls LoadLibrary then executes exports from a DLL.(Citation: Nicolas Falliere, Liam O Murchu, Eric... |
| S0373 | Astaroth | Malware | [Astaroth](https://attack.mitre.org/software/S0373) uses the LoadLibraryExW() function to load additional modules. (Citation: Cybereason Astaroth Feb ... |
| S1185 | LightSpy | Malware | [LightSpy](https://attack.mitre.org/software/S1185)'s main executable and module `.dylib` binaries are loaded using a combination of `dlopen()` to loa... |
| S0607 | KillDisk | Malware | [KillDisk](https://attack.mitre.org/software/S0607) loads and executes functions from a DLL.(Citation: Trend Micro KillDisk 1) |
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455) had used AutoIt to load and execute the DLL payload.(Citation: Fortinet Metamorfo Feb 2020) |
| S0673 | DarkWatchman | Malware | [DarkWatchman](https://attack.mitre.org/software/S0673) can load DLLs.(Citation: Prevailion DarkWatchman 2021) |
| S0438 | Attor | Malware | [Attor](https://attack.mitre.org/software/S0438)'s dispatcher can execute additional plugins by loading the respective DLLs.(Citation: ESET Attor Oct ... |
| S0661 | FoggyWeb | Malware | [FoggyWeb](https://attack.mitre.org/software/S0661)'s loader can call the <code>load()</code> function to load the [FoggyWeb](https://attack.mitre.org... |
| S1078 | RotaJakiro | Malware | [RotaJakiro](https://attack.mitre.org/software/S1078) uses dynamically linked shared libraries (`.so` files) to execute additional functionality using... |
| S0520 | BLINDINGCAN | Malware | [BLINDINGCAN](https://attack.mitre.org/software/S0520) has loaded and executed DLLs in memory during runtime on a victim machine.(Citation: US-CERT BL... |
| S1039 | Bumblebee | Malware | [Bumblebee](https://attack.mitre.org/software/S1039) can use `LoadLibrary` to attempt to execute GdiPlus.dll.(Citation: Medium Ali Salem Bumblebee Ap... |
| S0467 | TajMahal | Malware | [TajMahal](https://attack.mitre.org/software/S0467) has the ability to inject the <code>LoadLibrary</code> call template DLL into running processes.(C... |
| S0377 | Ebury | Malware | [Ebury](https://attack.mitre.org/software/S0377) is executed through hooking the keyutils.so file used by legitimate versions of `OpenSSH` and `libcur... |
| S0415 | BOOSTWRITE | Malware | [BOOSTWRITE](https://attack.mitre.org/software/S0415) has used the DWriteCreateFactory() function to load additional modules.(Citation: FireEye FIN7 O... |
| S0567 | Dtrack | Malware | [Dtrack](https://attack.mitre.org/software/S0567) contains a function that calls <code>LoadLibrary</code> and <code>GetProcAddress</code>.(Citation: C... |
| S0352 | OSX_OCEANLOTUS.D | Malware | For network communications, [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) loads a dynamic library (`.dylib` file) using `dlopen()` and o... |
| S0501 | PipeMon | Malware | [PipeMon](https://attack.mitre.org/software/S0501) has used call to <code>LoadLibrary</code> to load its installer. [PipeMon](https://attack.mitre.org... |
References
- Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.
- Apple. (2012, July 23). Overview of Dynamic Libraries. Retrieved September 7, 2023.
- Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
- Microsoft. (2023, April 28). What is a DLL. Retrieved September 7, 2023.
- Wheeler, D. (2003, April 11). Shared Libraries. Retrieved September 7, 2023.
Frequently Asked Questions
What is T1129 (Shared Modules)?
T1129 is a MITRE ATT&CK technique named 'Shared Modules'. It belongs to the Execution tactic(s). Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom fu...
How can T1129 be detected?
Detection of T1129 (Shared Modules) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1129?
There are 1 documented mitigations for T1129. Key mitigations include: Execution Prevention.
Which threat groups use T1129?
Known threat groups using T1129 include: Mustang Panda.