Description
Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from various environment variables and files, such as LD_PRELOAD on Linux or DYLD_INSERT_LIBRARIES on macOS.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass) Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) Each platform's linker uses an extensive list of environment variables at different points in execution. These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions in the original library.(Citation: Baeldung LD_PRELOAD)
Hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. On Linux, adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. For example, adversaries have used LD_PRELOAD to inject a malicious library into every descendant process of the sshd daemon, resulting in execution under a legitimate process. When the executing sub-process calls the execve function, for example, the malicious library’s execve function is executed rather than the system function execve contained in the system library on disk. This allows adversaries to Hide Artifacts from detection, as hooking system functions such as execve and readdir enables malware to scrub its own artifacts from the results of commands such as ls, ldd, iptables, and dmesg.(Citation: ESET Ebury Oct 2017)(Citation: Intezer Symbiote 2022)(Citation: Elastic Security Labs Pumakit 2024)
Hijacking dynamic linker variables may grant access to the victim process's memory, system/network resources, and possibly elevated privileges.
Platforms
Mitigations (2)
Operating System ConfigurationM1028
When System Integrity Protection (SIP) is enabled in macOS, the aforementioned environment variables are ignored when executing protected binaries. Third-party applications can also leverage Apple’s Hardened Runtime, ensuring these environment variables are subject to imposed restrictions.(Citation: Apple Developer Doco Hardened Runtime) Admins can add restrictions to applications by setting the s
Execution PreventionM1038
Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0143 | Aquatic Panda | [Aquatic Panda](https://attack.mitre.org/groups/G0143) modified the <code>ld.so</code> preload file in Linux environments to enable persistence for Wi... |
| G0106 | Rocke | [Rocke](https://attack.mitre.org/groups/G0106) has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and minin... |
| G0096 | APT41 | [APT41](https://attack.mitre.org/groups/G0096) has configured payloads to load via LD_PRELOAD.(Citation: Crowdstrike GTR2020 Mar 2020) |
Associated Software (7)
| ID | Name | Type | Context |
|---|---|---|---|
| S0601 | Hildegard | Malware | [Hildegard](https://attack.mitre.org/software/S0601) has modified /etc/ld.so.preload to intercept shared library import functions.(Citation: Unit 42 H... |
| S0394 | HiddenWasp | Malware | [HiddenWasp](https://attack.mitre.org/software/S0394) adds itself as a shared object to the LD_PRELOAD environment variable.(Citation: Intezer HiddenW... |
| S0658 | XCSSET | Malware | [XCSSET](https://attack.mitre.org/software/S0658) adds malicious file paths to the <code>DYLD_FRAMEWORK_PATH</code> and <code>DYLD_LIBRARY_PATH</code>... |
| S9024 | SPAWNCHIMERA | Malware | [SPAWNCHIMERA](https://attack.mitre.org/software/S9024) has been compiled as a Position Independent Executable (PIE) to use a third-party library for ... |
| S1105 | COATHANGER | Malware | [COATHANGER](https://attack.mitre.org/software/S1105) copies the malicious file <code>/data2/.bd.key/preload.so</code> to <code>/lib/preload.so</code>... |
| S1220 | MEDUSA | Malware | [MEDUSA](https://attack.mitre.org/software/S1220) can execute code through dynamic linker hijacking of the `LD_PRELOAD` library.(Citation: Google Clo... |
| S0377 | Ebury | Malware | When [Ebury](https://attack.mitre.org/software/S0377) is running as an OpenSSH server, it uses LD_PRELOAD to inject its malicious shared module in to ... |
References
- Apple Inc.. (2012, July 23). Overview of Dynamic Libraries. Retrieved March 24, 2021.
- baeldung. (2020, August 9). What Is the LD_PRELOAD Trick?. Retrieved March 24, 2021.
- Fitzl, C. (2019, July 9). DYLD_INSERT_LIBRARIES DYLIB injection in macOS / OSX. Retrieved March 26, 2020.
- Joakim Kennedy and The BlackBerry Threat Research & Intelligence Team. (2022, June 9). Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat. Retrieved March 24, 2025.
- Jon Gabilondo. (2019, September 22). How to Inject Code into Mach-O Apps. Part II.. Retrieved March 24, 2021.
- Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved June 15, 2020.
- Remco Sprooten and Ruben Groenewoud. (2024, December 11). Declawing PUMAKIT. Retrieved March 24, 2025.
- The Linux Documentation Project. (n.d.). Shared Libraries. Retrieved January 31, 2020.
- Timac. (2012, December 18). Simple code injection using DYLD_INSERT_LIBRARIES. Retrieved March 26, 2020.
- Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
Frequently Asked Questions
What is T1574.006 (Dynamic Linker Hijacking)?
T1574.006 is a MITRE ATT&CK technique named 'Dynamic Linker Hijacking'. It belongs to the Stealth, Execution tactic(s). Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynam...
How can T1574.006 be detected?
Detection of T1574.006 (Dynamic Linker Hijacking) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1574.006?
There are 2 documented mitigations for T1574.006. Key mitigations include: Operating System Configuration, Execution Prevention.
Which threat groups use T1574.006?
Known threat groups using T1574.006 include: Aquatic Panda, Rocke, APT41.