Dll-Injection — CraftedSignal Threat Feed

GlassWorm Threat: DLL Injection and Chrome Hijacking

hello@craftedsignal.io — Tue, 17 Mar 2026 15:03:41 +0000

The GlassWorm threat involves sophisticated techniques like DLL injection and Chrome hijacking through COM abuse. Analysis confirms a full supply chain loop, indicating a well-coordinated and potentially widespread attack. The specifics of initial compromise and broader targeting remain unclear, but the technical capabilities displayed suggest a threat actor with significant resources and expertise. This threat necessitates immediate attention from detection engineering teams to identify and mitigate potential intrusions within their environments. The confirmation of a full supply chain loop also highlights the potential for widespread compromise affecting numerous downstream victims.

Attack Chain

Initial compromise occurs through an unidentified vector, potentially involving a supply chain attack.
The attacker establishes persistence on the system through an unknown method.
Malicious code is injected into a legitimate process using DLL injection.
The injected DLL targets Google Chrome.
The attacker abuses COM objects to hijack Chrome functionality.
The hijacked Chrome instance is used to steal user credentials and sensitive data.
Exfiltrated data is sent to attacker-controlled servers.
The attacker maintains a foothold for further exploitation or lateral movement.

Impact

A successful GlassWorm attack can lead to the compromise of sensitive data, including user credentials, financial information, and proprietary data. The Chrome hijacking aspect allows attackers to monitor user activity, intercept communications, and potentially inject malicious content into web pages. The confirmation of a full supply chain loop suggests the potential for a large number of victims, depending on the scope and duration of the attack. The sector impact is currently unknown, but any organization relying on Chrome for sensitive operations is at risk.

Recommendation

Monitor process creation events for suspicious DLL loads into Chrome processes using the “Detect Suspicious Chrome DLL Injection” Sigma rule.
Investigate any unusual COM object activity associated with Chrome, focusing on unexpected object creation or modification (leverage existing COM auditing capabilities, if available).
Analyze network traffic for unexpected data exfiltration patterns originating from Chrome processes.
Implement strong endpoint detection and response (EDR) solutions to detect and prevent DLL injection attempts.

Unsigned DLL Loaded by Svchost for Persistence and Privilege Escalation

hello@craftedsignal.io — Tue, 09 Jan 2024 18:30:00 +0000

Attackers may attempt to load malicious, unsigned DLLs into svchost.exe, a legitimate Windows service host process, to maintain persistence or escalate privileges. This technique abuses the shared service host process to execute arbitrary code with SYSTEM privileges. The svchost.exe process, which typically hosts multiple Windows services, can be targeted to load malicious DLLs from unusual file paths, potentially bypassing security measures that rely on code signing validation. This is especially concerning because svchost.exe is a trusted process, making detection more challenging. The loading of unsigned DLLs by svchost.exe from atypical directories is a strong indicator of potential malicious activity, as legitimate Windows services rarely load unsigned libraries from such locations.

Attack Chain

An adversary gains initial access to the system through an undisclosed method (e.g., exploitation of a vulnerability or social engineering).
The attacker creates a malicious, unsigned DLL on the compromised system in a non-standard directory like C:\ProgramData\.
The attacker modifies the Windows Registry to configure a service hosted by svchost.exe to load the malicious DLL. This often involves manipulating service dependencies or service parameters.
The system is restarted, or the targeted service is manually restarted, causing svchost.exe to load the specified DLL.
svchost.exe executes the code within the malicious DLL, now running with the privileges of the hosted service (typically SYSTEM).
The malicious DLL performs actions such as installing backdoors, escalating privileges further, or establishing command and control (C2) communication.
The attacker uses the established C2 channel to remotely control the compromised system, exfiltrate data, or perform other malicious activities.
The attacker maintains persistence on the system by ensuring the malicious DLL is loaded each time the service or system starts.

Impact

Successful exploitation allows attackers to gain persistent access to the compromised system with elevated (SYSTEM) privileges. This can lead to complete system compromise, data theft, installation of backdoors, and lateral movement within the network. The use of svchost.exe as a host for malicious DLLs makes detection more difficult, allowing attackers to operate undetected for extended periods.

Recommendation

Implement the provided Sigma rule to detect unsigned DLLs loaded by svchost.exe, focusing on the specified file paths and code signature status.
Examine dll.Ext.relative_file_creation_time to identify DLLs created shortly before being loaded to catch newly created malicious files.
Review and validate the legitimacy of all DLLs loaded by svchost.exe, focusing on those located in unusual paths.
Update endpoint detection and response (EDR) systems to specifically monitor for the loading of unsigned DLLs by system processes like svchost.exe.
Continuously update the exclusion list of known good DLL hashes to reduce false positives.

LSASS Loading Suspicious DLL

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

The Local Security Authority Subsystem Service (LSASS) is a critical Windows component that manages security policies and user authentication. Attackers often target LSASS to dump credentials, using techniques like injecting malicious DLLs. This detection focuses on identifying instances where LSASS loads a DLL that is either unsigned or not signed by a trusted vendor. The rule excludes known legitimate signatures and file hashes to reduce false positives. This activity is a strong indicator of credential access attempts, potentially leading to further compromise of the system and network. The signatures identified in the rule contain well-known software vendors like Microsoft, McAfee and Citrix.

Attack Chain

An attacker gains initial access to the system through various means (e.g., phishing, exploiting a vulnerability).
The attacker elevates privileges to gain sufficient access to interact with the LSASS process.
The attacker drops a malicious DLL onto the system, often disguised as a legitimate file.
The attacker injects the malicious DLL into the LSASS process using techniques like Reflective DLL Injection.
LSASS loads the injected DLL, granting the attacker access to sensitive credentials stored in memory.
The malicious DLL dumps credentials, such as plaintext passwords or NTLM hashes.
The attacker uses the stolen credentials for lateral movement to other systems on the network.
The attacker achieves their final objective, such as data exfiltration or deploying ransomware.

Impact

Successful exploitation leads to credential compromise, allowing attackers to move laterally within the network, access sensitive data, and potentially achieve complete domain dominance. This can result in data breaches, financial losses, and reputational damage. The impact depends on the level of access associated with the compromised credentials.

Recommendation

Deploy the LSASS Loading Untrusted DLL Sigma rule to your SIEM to detect suspicious DLLs loaded by LSASS.
Investigate any alerts generated by the Sigma rule and review the loaded DLL’s code signature and hash.
Block the identified SHA256 hashes listed in the IOC table to prevent the execution of known malicious DLLs.
Implement application whitelisting to restrict which DLLs can be loaded into LSASS.
Enable Sysmon process creation and image load logging to provide the necessary data for detection.