Skip to content
Threat Feed
high threat

Bitdefender Submission Wizard DLL Sideloading

Detection of potential DLL side-loading of Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe) via loading a malicious log.dll from a non-standard path.

This threat brief addresses the potential DLL side-loading attack targeting Bitdefender Submission Wizard (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe). The attack involves a malicious actor placing a rogue log.dll in a directory where the legitimate Bitdefender executable will load it, thus executing attacker-controlled code. This technique is associated with the Lotus Blossom group (G0065). The observed activity relies on exploiting the DLL search order to execute arbitrary code. Defenders should monitor for instances of BDSubmit.exe, bdsw.exe, or BluetoothService.exe loading log.dll from unexpected paths outside of standard installation directories such as "Program Files" or "Windows\System32".

Attack Chain

  1. The attacker gains initial access to the system (method unspecified in source).
  2. The attacker identifies a vulnerable executable, such as BDSubmit.exe or bdsw.exe.
  3. The attacker crafts a malicious log.dll.
  4. The attacker places the malicious log.dll in the same directory as the Bitdefender executable, or in a directory that takes precedence in the DLL search order.
  5. A user executes the legitimate Bitdefender Submission Wizard executable (BDSubmit.exe, bdsw.exe, or renamed BluetoothService.exe).
  6. The legitimate application attempts to load log.dll. Due to DLL side-loading, the malicious log.dll is loaded instead of the legitimate one.
  7. The malicious log.dll executes attacker-controlled code within the context of the Bitdefender Submission Wizard process.
  8. The attacker achieves code execution for persistence or privilege escalation.

Impact

Successful exploitation through DLL side-loading allows attackers to execute arbitrary code within a trusted process. This can lead to privilege escalation, persistence, and potentially complete system compromise. Specific impacts include unauthorized access to sensitive data, installation of malware, and lateral movement within the network. The Lotus Blossom group has been known to use similar techniques to deploy backdoors.

Recommendation

  • Enable Sysmon ImageLoad events (EventCode 7) to monitor DLL loading activity and ensure the Splunk Add-on for Sysmon is configured to parse them as described in the "how_to_implement" section.
  • Deploy the Sigma rule "Bitdefender Submission Wizard DLL Sideloading" to detect instances where log.dll is loaded from a non-standard path, and tune for your environment.
  • Investigate any alerts generated by the provided detection rule, focusing on the "dest" and "User" fields as described in the "drilldown_searches" section.
  • Monitor for the execution of BDSubmit.exe, bdsw.exe, or BluetoothService.exe from unusual locations or with unusual command-line arguments.
  • Review and harden DLL search order configurations to prevent side-loading attacks (T1574.002).

Detection coverage 2

Bitdefender Submission Wizard DLL Sideloading

high

Detects DLL side-loading of Bitdefender Submission Wizard by monitoring for log.dll loaded from non-standard paths.

sigma tactics: persistence, privilege_escalation techniques: T1574.002 sources: image_load, windows

Suspicious BluetoothService.exe Image Load

medium

Detects loading of DLLs by a renamed BluetoothService.exe from unusual locations.

sigma tactics: persistence, privilege_escalation techniques: T1574.002 sources: image_load, windows

Detection queries are available on the platform. Get full rules →