Information

During an analysis of a targeted cyber-attack we found a malware utilizing a DLL Side-Loading (Binary Planting) vulnerability in Audinate’s Dante Discvoery.

During the incident, the malicious actor downloaded to the infected machines two files and place them under the same arbitrary directory:

  1. mDNSResponder.exe
    This is an executable that is signed and shipped by Zoom as part of its product installation. The file’s signature is valid. We confirmed the file appears on the latest version of Zoom Rooms installation as downloaded from Zoom’s website.

  2. dal_keepalives.dll
    A malicious DLL written by the malicious actors behind the attack.

When executing the legit and original mDNSResponder.exe, the executable will load the malicious DLL “dal_keepalives.dll”. This is because mDNSResponder.exe is vulnerable to DLL Sideloading attack. , that the executable is improperly specify how to load the DLL, from which folder and under what conditions. In these scenarios, a malicious attacker is using the valid and legitimate executable to load malicious files.



References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23748
https://www.audinate.com/learning/faqs/audinate-response-to-dante-discovery-mdnsresponder-exe-security-issue-cve-2022-23748