EXECUTIVE SUMMARY:
A vulnerability in Google Chrome is being actively exploited by cybercriminals using DLL side-loading techniques, enabling malicious code execution through trusted processes. This attack involves replacing the legitimate chrome_elf.dll file with a modified version, allowing stealthy multi-stage infections. The method has been widely shared in underground forums, making it accessible to a broader range of threat actors. With advanced evasion techniques and persistence mechanisms, the malware continues running even after Chrome is closed, posing a significant cybersecurity risk.
The attack is initiated when a user runs a seemingly legitimate Google Chrome process, which unknowingly loads a modified DLL. The malicious DLL facilitates process injection, enabling the attacker to launch secondary processes and replace trusted applications with harmful payloads. Despite Chrome being closed, the malware persists in the background, maintaining control of the system. Detection rates for this threat are alarmingly low, making it difficult for traditional security tools to identify. The malware, developed in the Nim programming language, effectively evades signature-based detection. It employs various evasion techniques such as anti-debugging and anti-sandbox measures, as well as dynamic API loading and memory manipulation tactics to execute its payload stealthily. The malware specifically targets functions like GetThreadContext, HeapAlloc, and CreateThread to enable covert code execution.
This DLL side-loading exploit poses a severe and long-lasting security threat, as it allows attackers to maintain access to compromised systems even after the browser is closed. To mitigate this risk, organizations should restrict the installation of vulnerable Chrome versions, implement DLL whitelisting and integrity checks, and deploy advanced endpoint detection and response (EDR) solutions. It continuous monitoring and updating of security tools, along with employee education on risks, are critical to defend against evolving attack techniques.
THREAT PROFILE:
| Tactic | Technique Id | Technique |
| Initial Access | T1566 | Phishing |
| Persistence | T1574 | Hijack Execution Flow |
| Defense Evasion | T1055 | Process Injection |
| T1027 | Obfuscated Files or Information | |
| T1497 | Virtualization/Sandbox Evasion | |
| Credential Access | T1003 | OS Credential Dumping |
| Discovery | T1082 | System Information Discovery |
| T1057 | Process Discovery | |
| Lateral Movement | T1021 | Remote Services |
| Collection | T1056 | Input Capture |
| Command and Control | T1573 | Encrypted Channel |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
REFERENCES:
The following reports contain further technical details: