Persistent malware WordDrone exploits DLL Side-Loading to compromise Taiwan's drone industry

News
By published

Outdated software can be targeted in complex attacks

A laptop with digitally inserted hack warnings around it
(Image credit: Getty Images)

A recent investigation by Acronis Threat Research Unit (TRU) has revealed an intricate attack which utilized an old version of Microsoft Word as a conduit for installing a persistent backdoor on infected systems.

WordDrone focuses on companies in Taiwan, particularly those involved in the drone manufacturing industry. The investigation revealed that the malware had been installed on systems in companies working in Taiwan's growing drone industry, which has seen significant government investment since 2022.

Taiwan's strategic position in both the technological and military sectors likely made these organizations attractive targets for espionage or supply chain attacks.

Microsoft Word vulnerabilities

The attackers use a technique known as DLL side-loading to install malware through a compromised version of Microsoft Word 2010. It installs three primary files to the target system which are a legitimate copy of Winword (Microsoft Word), a maliciously crafted wwlib.dll file, and a file with a random name and extension.

The legitimate Winword application is used to side-load the malicious DLL, which serves as a loader for the actual payload hidden within the encrypted random-named file.

DLL side-loading is a technique that exploits how Windows applications load libraries. In this case, the attackers take advantage of an older version of Microsoft Word, which had a vulnerability allowing it to load a malicious DLL file disguised as a legitimate part of the Microsoft Office installation. The malicious wwlib.dll file acts as a loader, decrypting and executing the actual malware payload hidden in another encrypted file. This use of DLL side-loading makes it difficult for traditional security tools to detect the attack.

The attackers go as far as digitally signing some of the malicious DLLs with certificates that had only recently expired. This tactic allows the malware to evade detection by security systems that fully trust signed binaries.

Once the attack is triggered, a series of malicious actions unfold. The attack begins with the execution of a shellcode stub, which decompresses and self-injects a component known as install.dll. This component establishes persistence on the target system and initiates the next phase by executing ClientEndPoint.dll, which serves as the core of the backdoor functionality.

After installation, the malware prioritizes maintaining persistence on the infected system, utilizing the install.dll component to achieve this. This component supports three operational methods: installing the host process as a service, setting it up as a scheduled task, or injecting the next stage without establishing persistence. These options allow the malware to remain active and evade detection, ensuring it can continue its malicious activities even after the system reboots.

The final stage of the attack begins with two important tasks. First, the malware performs NTDLL unhooking, a technique used to remove potential hooks placed by security software. The malware ensures that no hooks can interfere with its malicious operations by loading a fresh instance of the NTDLL library. Second, the malware uses a technique known as EDR silencing to neutralize popular Endpoint Detection and Response (EDR) tools. It scans the process list for known security tools and adds blocking rules to the Windows Firewall for any matches. This effectively disables the ability of security software to detect or prevent further malicious activity.

One of the more sophisticated aspects of the malware is its ability to communicate with a Command-and-Control (C2) server. The configuration for C2 communication is embedded in the malware and it's based on a time-based schedule. A bit array in the configuration represents every hour in a week, and if a specific hour is marked as active, the malware would attempt to establish a connection with the C2 server.

The malware also supports multiple protocols for communication, including TCP, TLS, HTTP, HTTPS, and WebSocket. Once communication is established, the malware could receive additional commands or payloads from the C2 server. The custom binary format used in the communication made it more difficult to detect and analyze the traffic.

The initial access vector for the attack remains unclear, but investigators noted that the first appearance of malicious files was in the folder of a popular Taiwanese ERP software. This raised the possibility of a supply chain attack, where the attackers compromised the ERP software to distribute the malware.

More from TechRadar Pro

Efosa Udinmwen
Efosa Udinmwen
Freelance Journalist

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com

Read more
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Illustration of a laptop with a magnifying glass exposing a beetle on-screen
Microsoft Outlook targeted by new malware attacks allowing sneaky hijacking
Red padlock open on electric circuits network dark red background
Aviation firms hit by devious new polyglot malware
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
An American flag flying outside the US Capitol building against a blue sky
US military and defense contractors hit with Infostealer malware
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Latest in Pro
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today
Racks of servers inside a data center.
Modernizing data centers: an efficient path forward
Dr. Peter Zhou, President of Huawei Data Storage Product Line
Why AI commonization is so important for business intelligent transformation and what Huawei’s data storage has to offer
Wix automation
The world's leading website builder aims to save businesses time with new tool
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Latest in News
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today
Image showing detail of the Leica D-Lux 8
Still can't get a Fujifilm X100VI? This premium Leica compact costs less, and it's in stock
More about pro
Autonomous finance

Quickbooks vs Quicken: what are the main strengths and weaknesses for your business
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View

I visited the world’s first registered .com domain – and you won’t believe what it’s offering today
A hand reaching out to touch a futuristic rendering of an AI processor.

Researchers want to embrace Arm's celebrated paradigm for a universal generative AI processor; a puzzling MEGA.mini core architecture

See more latest
Most Popular
A hand reaching out to touch a futuristic rendering of an AI processor.
Researchers want to embrace Arm's celebrated paradigm for a universal generative AI processor; a puzzling MEGA.mini core architecture
Finger Presses Orange Button Domain Name Registration on Black Keyboard Background. Closeup View
I visited the world’s first registered .com domain – and you won’t believe what it’s offering today
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
Nokia 5G 360 Camera
This is the world's first 8K 5G 360 degrees camera - and it is also weatherproof
AI writer
Coding AI tells developer to write it himself
Data Breach
Thousands of healthcare records exposed online, including private patient information
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
Google Messages update
Google Messages could soon follow WhatsApp with an upgrade that makes it much easier to join group chats
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Nvidia RTX 6000
Details of Nvidia's fastest video card ever leak; RTX Pro 6000 Blackwell GPU will have 96GB GDDR7 ECC memory