Skip to content
Threat Feed
high advisory

GlassWorm Threat: DLL Injection and Chrome Hijacking

The GlassWorm threat involves DLL injection and Chrome hijacking via COM abuse, confirming a full supply chain loop, potentially leading to data theft and system compromise.

The GlassWorm threat involves sophisticated techniques like DLL injection and Chrome hijacking through COM abuse. Analysis confirms a full supply chain loop, indicating a well-coordinated and potentially widespread attack. The specifics of initial compromise and broader targeting remain unclear, but the technical capabilities displayed suggest a threat actor with significant resources and expertise. This threat necessitates immediate attention from detection engineering teams to identify and mitigate potential intrusions within their environments. The confirmation of a full supply chain loop also highlights the potential for widespread compromise affecting numerous downstream victims.

Attack Chain

  1. Initial compromise occurs through an unidentified vector, potentially involving a supply chain attack.
  2. The attacker establishes persistence on the system through an unknown method.
  3. Malicious code is injected into a legitimate process using DLL injection.
  4. The injected DLL targets Google Chrome.
  5. The attacker abuses COM objects to hijack Chrome functionality.
  6. The hijacked Chrome instance is used to steal user credentials and sensitive data.
  7. Exfiltrated data is sent to attacker-controlled servers.
  8. The attacker maintains a foothold for further exploitation or lateral movement.

Impact

A successful GlassWorm attack can lead to the compromise of sensitive data, including user credentials, financial information, and proprietary data. The Chrome hijacking aspect allows attackers to monitor user activity, intercept communications, and potentially inject malicious content into web pages. The confirmation of a full supply chain loop suggests the potential for a large number of victims, depending on the scope and duration of the attack. The sector impact is currently unknown, but any organization relying on Chrome for sensitive operations is at risk.

Recommendation

  • Monitor process creation events for suspicious DLL loads into Chrome processes using the “Detect Suspicious Chrome DLL Injection” Sigma rule.
  • Investigate any unusual COM object activity associated with Chrome, focusing on unexpected object creation or modification (leverage existing COM auditing capabilities, if available).
  • Analyze network traffic for unexpected data exfiltration patterns originating from Chrome processes.
  • Implement strong endpoint detection and response (EDR) solutions to detect and prevent DLL injection attempts.

Detection coverage 2

Detect Suspicious Chrome DLL Injection

high

Detects suspicious DLL injection into Chrome processes, indicating potential hijacking attempts.

sigma tactics: defense_evasion techniques: T1055 sources: process_creation, windows

Detect Suspicious Chrome COM Object Creation

medium

Detects suspicious COM object creation by Chrome processes, indicating potential COM abuse.

sigma tactics: persistence techniques: T1546.003 sources: registry_set, windows

Detection queries are kept inside the platform. Get full rules →