Security experts have disclosed details of an active malware campaign that’s exploiting a DLL side-loading vulnerability in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a wide range of commodity trojans and stealers.
“Attackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate ahost.exe (which they often rename) to execute their code,” Trellix said in a report shared with The Hacker News. “This DLL side-loading technique allows the malware to bypass traditional signature-based security defenses.”
The campaign has been observed distributing a wide assortment of malware, such as Agent Tesla, CryptBot, Formbook, Lumma Stealer, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm.
Targets of the malicious activity include employees in finance, procurement, supply chain, and administration roles within commercial and industrial sectors like oil and gas and import and export, with lures written in Arabic, Spanish, Portuguese, Farsi, and English, suggesting the attacks are restricted to a specific region.
The attack hinges on placing a malicious version of the DLL in the same directory as the vulnerable binary, taking advantage of the fact that it’s susceptible to search order hijacking to execute the contents of the rogue DLL instead of its legitimate counterpart, granting the threat actor code execution capabilities. The “ahost.exe” executable used in the campaign is signed by GitKraken and is typically distributed as part of GitKraken’s Desktop application.
An analysis of the artifact on VirusTotal reveals that it’s distributed under dozens of names, including, but not limited to, “RFQ_NO_04958_LG2049 pdf.exe,” “PO-069709-MQ02959-Order-S103509.exe,” “23RDJANUARY OVERDUE.INV.PDF.exe,” “sales contract po-00423-025_pdf.exe,” and “Fatura da DHL.exe,” indication the use of invoice and request for quote (RFQ) themes to trick users into opening it.
“This malware campaign highlights the growing threat of DLL sideloading attacks that exploit trusted, signed utilities like GitKraken’s ahost.exe to bypass security defenses,” Trellix said. “By leveraging legitimate software and abusing its DLL loading process, threat actors can stealthily deploy powerful malware such as XWorm and DCRat, enabling persistent remote access and data theft.”
The disclosure comes as Trellix also reported a surge in Facebook phishing scams employing the Browser-in-the-Browser (BitB) technique to simulate a Facebook authentication screen and deceive unsuspecting users into entering their credentials. This works by creating a fake pop-up within the victim’s legitimate browser window using an iframe element, making it virtually impossible to differentiate between a genuine and bogus login page.
“The attack often starts with a phishing email, which may be disguised as a communication from a law firm,” researcher Mark Joseph Marti said. “This email typically contains a fake legal notice regarding an infringing video and includes a hyperlink disguised as a Facebook login link.”
As soon as the victim clicks on the shortened URL, they are redirected to a phony Meta CAPTCHA prompt that intends to trick users to enter credentials.
