ArrowArrow

Cymulate Discovers Hidden Malware Defense Evasion Technique

April 21, 2020

Cymulate discovers hidden malware defense evasion technique using Microsoft Terminal Services Client (MSTSC). Read more about the malware.


Potential malware for hackers to exploit enterprise networks via a security controls blind spot disclosed at a critical time when billions of employees are working from home.

Cymulate, the only end-to-end SaaS-based Breach and Attack Simulation (BAS) platform, today announced it has discovered a method for attackers to run malicious code via Microsoft’s Remote Desktop Protocol (RDP) using a technique called DLL Side-Loading. The executed code would bypass security controls.

To run RDP, the MSTSC is used in Windows, allowing users to take control of a remote computer or virtual machine over a network connection. MSTSC relies on a DLL file (mstscax.dll) as one of its resources. However, Cymulate has identified that Microsoft Terminal Services Client (MSTSC) performs delay-loading of mstscax.dll with a behavior that can result in hackers bypassing security controls.The executable explicitly loads “mstscax.dll” with no integrity checks to validate the library’s code, An adversary can use this blind spot and replace mstscax.dll on the C:\Windows\System32 folder for which admin privileges are required or, by copying it to an external folder which does not require admin privileges as the mstsc.exe does not explicitly load the DLL from system32 folder. This behavior leads to the ability of an adversary to execute malicious code in the context of digitally signed Mstsc.exe and therefore bypass security controls such as AppLocker. This technique has been labelled DLL Side-Loading in the MITRE ATT&CK Framework.

Cymulate has notified Microsoft about the vulnerability who has declined to patch it as they state System32 requires admin privileges and is therefore not a perceived threat.

Initially documented in May 2017, DLL side-loading has been exploited by several cybercriminal groups including APT41 to deploy their malware, APT3 via Chrome, APT 32 who ran legitimately-signed executables from Symantec and McAfee, gh0st RAT and HTTPBrowser.

“Enterprises need to be immediately made aware of this threat in order to mitigate attacks as it will bypass security controls,” said Cymulate’s CTO Avihai Ben-Yossef. “We have added this technique to our platform to ensure our customers optimize their security configurations ahead of attacker exploits. I would like to thank our research team for discovering this, especially Yoni Oren.”

Cymulate’s automated BAS offering empowers companies to easily understand their security posture at any given moment. Simulations of the latest threats in the wild can be run on-demand across the entire kill chain to test an organization’s security defenses and controls, providing actionable insights and data on where a company’s network is exposed. The platform has introduced new capabilities to validate that security controls protecting remote workers are optimally configured and that security policies for VPN-attached devices are enforced correctly.

About Cymulate
Cymulate is a SaaS-based breach and attack simulation platform that makes it simple to know and optimize your security posture any time, all the time and empowers companies to safeguard their business-critical assets. With just a few clicks, Cymulate challenges your security controls by initiating thousands of attack simulations, showing you exactly where you’re exposed and how to fix it—making security continuous, fast and part of every-day activities.