Headline
CVE-2022-23748: CVE-2022-23748
mDNSResponder.exe is vulnerable to DLL Sideloading attack. Executable improperly specifies how to load the DLL, from which folder and under what conditions. In these scenarios, a malicious attacker could be using the valid and legitimate executable to load malicious files.
Information
During an analysis of a targeted cyber-attack we found a malware utilizing a DLL Side-Loading (Binary Planting) vulnerability in Audinate’s Dante Discvoery.
During the incident, the malicious actor downloaded to the infected machines two files and place them under the same arbitrary directory:
mDNSResponder.exe
This is an executable that is signed and shipped by Zoom as part of its product installation. The file’s signature is valid. We confirmed the file appears on the latest version of Zoom Rooms installation as downloaded from Zoom’s website.dal_keepalives.dll
A malicious DLL written by the malicious actors behind the attack.
When executing the legit and original mDNSResponder.exe, the executable will load the malicious DLL “dal_keepalives.dll”. This is because mDNSResponder.exe is vulnerable to DLL Sideloading attack. , that the executable is improperly specify how to load the DLL, from which folder and under what conditions. In these scenarios, a malicious attacker is using the valid and legitimate executable to load malicious files.
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23748
Related news
A sophisticated APT known as "ToddyCat," sponsored by Beijing, is cleverly using unsophisticated malware to keep defenders off their trail.
mDNSResponder.exe is vulnerable to DLL Sideloading attack. Executable improperly specifies how to load the DLL, from which folder and under what conditions. In these scenarios, a malicious attacker could be using the valid and legitimate executable to load malicious files.