Persistent malware WordDrone uses DLL Side-Loading to compromise Taiwan’s drone industry
A recent investigation by Acronis Threat Research Unit (TRU) has revealed a complex attack that used an old version of Microsoft Word as a conduit to install a persistent backdoor on infected systems.
WordDrone targets companies in Taiwan, especially those involved in the drone manufacturing industry. The investigation found that the malware had been installed on systems belonging to companies operating in Taiwan’s growing drone industry, which has seen significant government investment since 2022.
Taiwan’s strategic position in both the technological and military sectors likely made these organizations attractive targets for espionage or supply chain attacks.
Microsoft Word vulnerabilities
The attackers use a technique known as DLL side-loading to install malware via a compromised version of Microsoft Word 2010. It installs three primary files on the target system that are a legitimate copy of Winword (Microsoft Word), a maliciously crafted wwlib .dll. file and a file with an arbitrary name and extension.
The legitimate Winword application is used to side-load the malicious DLL, which serves as a loader for the actual payload hidden in the randomly named encrypted file.
DLL side-loading is a technique that abuses the way Windows applications load libraries. In this case, the attackers are exploiting an older version of Microsoft Word, which contained a vulnerability that allowed the loading of a malicious DLL disguised as a legitimate part of the Microsoft Office installation. The malicious wwlib.dll file acts as a loader and decrypts and executes the actual malware payload hidden in another encrypted file. This use of DLL side-loading makes it difficult for traditional security tools to detect the attack.
The attackers even go so far as to digitally sign some malicious DLLs with certificates that have only recently expired. This tactic allows the malware to evade detection by security systems that fully trust signed binaries.
Once the attack is triggered, a series of malicious actions unfold. The attack begins with the execution of a shellcode stub, which decompresses and automatically injects a component known as install.dll. This component ensures persistence on the target system and initiates the next phase by executing ClientEndPoint.dll, which serves as the core of the backdoor functionality.
Once installed, the malware prioritizes maintaining persistence on the infected system, using the install.dll component to achieve this. This component supports three operational methods: install the host process as a service, set it up as a scheduled task, or inject the next stage without establishing persistence. These options allow the malware to remain active and evade detection, allowing malicious activity to continue even after the system restarts.
The final phase of the attack begins with two important tasks. First, the malware performs NTDLL unhooking, a technique used to remove potential hooks from security software. The malware ensures that no hooks can interfere with its malicious activities by loading a new copy of the NTDLL library. Second, the malware uses a technique known as EDR silencing to neutralize popular Endpoint Detection and Response (EDR) tools. It scans the process list for known security tools and adds blocking rules to the Windows Firewall for any matches. This effectively disables security software’s ability to detect or prevent further malicious activity.
One of the more advanced aspects of the malware is its ability to communicate with a Command-and-Control (C2) server. The configuration for C2 communication is embedded in the malware and is based on a time-based schedule. A bit array in the configuration represents each hour in a week, and if a specific hour is marked as active, the malware will attempt to connect to the C2 server.
The malware also supports multiple communication protocols, including TCP, TLS, HTTP, HTTPS, and WebSocket. Once communication is established, the malware can receive additional commands or payloads from the C2 server. The modified binary format used in the communication made it more difficult to detect and analyze the traffic.
The initial entry vector for the attack remains unclear, but researchers noted that the first malicious files were located in the folder of popular Taiwanese ERP software. This raised the possibility of a supply chain attack, where the attackers compromised the ERP software to spread the malware.