Atom Silo Uses DLL Side-Loading to Deploy Ransomware

Written by

Security researchers have warned of a new ransomware variant leveraging a recently disclosed vulnerability for initial access and going to great lengths to evade detection.

Atom Silo is almost identical to the LockFile ransomware spotted spreading earlier this year by exploiting PetitPotam and ProxyShell vulnerabilities in Microsoft products, according to Sophos.

However, in Atom Silo’s case, the variant exploited a vulnerability in Atlassian’s Confluence collaboration software made public just three weeks before the attack.

Interestingly, the researchers discovered that a separate threat actor had exploited the same bug to deploy a coinminer (also called a cryptocurrency miner) on the victim organization’s system.

“For many organizations, keeping up with the pace of patching can be a challenge in the best of times — and the effects of lock-down and other recent stressors affecting staff availability are only making keeping up with patches more difficult,” said Sophos researchers Sean Gallagher and Vikas Singh.

“Ransomware operators and other malware developers are becoming very adept at taking advantage of these gaps, jumping on published proof-of-concept exploits for newly-revealed vulnerabilities and weaponizing them rapidly to profit off them.”

The ransomware actors also used “well-worn techniques in new ways, and made significant efforts to evade detection prior to launching the ransomware,” they argued.

Specifically, the intrusion began with an Object-Graph Navigation Language (OGNL) injection attack, which provided a backdoor via which they dropped and executed additional files for a second covert backdoor.

These files included a legitimate, signed executable from a third-party software provider that was vulnerable to an unsigned DLL side-load attack.

Sophos warned that such techniques are becoming increasingly common and challenging to defend against.

“Abuse of legitimate but vulnerable software components through DLL side-loading and other methods has long been a technique used by attackers with a wide range of capabilities, and it has filtered down to the affiliates of ransomware operators and other cyber-criminals,” the researchers explained.

“While abuse of some of these legitimate, signed components is well-enough known to defend against, the supply of alternative vulnerable executables is likely deep. Spotting legitimate executables that exist outside of the context of the products they are supposed to be part of requires vigilance — and vulnerability disclosure by the vendors they come from.”

Once the backdoor was loaded, the attackers proceeded to lateral movement, exfiltration and encryption, disrupting Sophos endpoint protection in the process via a malicious kernel driver to evade detection.

What’s hot on Infosecurity Magazine?