Hackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware
Summary:
Trellix researchers have identified a widespread campaign where multiple threat actors are abusing a legitimate, signed executable named ahost[.]exe to deploy various malware payloads. This binary, a component of the GitKraken Desktop application, contains a DLL side-loading vulnerability involving the open-source c-ares library. Attackers exploit this by placing a malicious version of the DLL in the same directory as the legitimate ahost[.]exe. When the executable runs, it prioritizes the local malicious DLL over the legitimate system version, effectively granting the attackers code execution under the guise of a trusted, signed process.
The campaign has been observed distributing a wide array of commodity malware, including remote access trojans like XWorm, DCRat, Remcos, and Quasar, as well as information stealers such as Agent Tesla, Formbook, Lumma, and Vidar. The attacks primarily target employees in finance, procurement, and supply chain roles across the commercial and industrial sectors. Lures often mimic business correspondence, utilizing filenames related to invoices, purchase orders, or requests for quotes to trick users into executing the file. Because ahost[.]exe is digitally signed by GitKraken, the execution often evades traditional signature-based security defenses.
Security Officer Comments:
This research highlights the persistent danger of "Living off the Land" (LotL) and the abuse of trusted software supply chain components. The use of ahost[.]exe is particularly concerning because it serves as a generic "loader" that can be utilized by any threat actor who obtains the vulnerable binary and a compatible malicious DLL. This lowers the barrier to entry for deploying sophisticated evasion techniques.
The impact here is significant because reliance on static allowlisting creates a blind spot. If your organization uses GitKraken, or even if it doesn't, this binary may appear in your environment as part of a malicious drop. The fact that this technique is being used to deliver such a diverse "kitchen sink" of malware families suggests that this method is likely being sold or shared within the cybercriminal underground as a reliable evasion service.
Suggested Corrections:
Remediations from Trellix:
Behavioral detection: Advanced EDR tools employ behavioral detection to identify malicious activity. They monitor for suspicious patterns such as unusual DLL loads, abnormal process creation, and network traffic that may indicate a threat.
Application control: Through application control, strict allowlisting policies can be enforced to allow only trusted executables and their verified DLLs to run, thereby preventing unauthorized DLL sideloading.
Threat intelligence: Updated threat intelligence needs to be continuously integrated. This ensures timely awareness of emerging indicators linked to the malware campaigns.
Automated response: When suspicious activity is detected, automated workflows can swiftly contain the threat by quarantining compromised devices and shutting down malicious processes.
Endpoint hardening: Strengthening endpoint configurations by disabling obsolete DLL search paths, applying current software patches, and limiting user privileges reduces the overall attack surface.
Link(s):
https://www.trellix.com/en-au/blogs/research/hiding-in-plain-sight-multi-actor-ahost-exe-attacks/
Trellix researchers have identified a widespread campaign where multiple threat actors are abusing a legitimate, signed executable named ahost[.]exe to deploy various malware payloads. This binary, a component of the GitKraken Desktop application, contains a DLL side-loading vulnerability involving the open-source c-ares library. Attackers exploit this by placing a malicious version of the DLL in the same directory as the legitimate ahost[.]exe. When the executable runs, it prioritizes the local malicious DLL over the legitimate system version, effectively granting the attackers code execution under the guise of a trusted, signed process.
The campaign has been observed distributing a wide array of commodity malware, including remote access trojans like XWorm, DCRat, Remcos, and Quasar, as well as information stealers such as Agent Tesla, Formbook, Lumma, and Vidar. The attacks primarily target employees in finance, procurement, and supply chain roles across the commercial and industrial sectors. Lures often mimic business correspondence, utilizing filenames related to invoices, purchase orders, or requests for quotes to trick users into executing the file. Because ahost[.]exe is digitally signed by GitKraken, the execution often evades traditional signature-based security defenses.
Security Officer Comments:
This research highlights the persistent danger of "Living off the Land" (LotL) and the abuse of trusted software supply chain components. The use of ahost[.]exe is particularly concerning because it serves as a generic "loader" that can be utilized by any threat actor who obtains the vulnerable binary and a compatible malicious DLL. This lowers the barrier to entry for deploying sophisticated evasion techniques.
The impact here is significant because reliance on static allowlisting creates a blind spot. If your organization uses GitKraken, or even if it doesn't, this binary may appear in your environment as part of a malicious drop. The fact that this technique is being used to deliver such a diverse "kitchen sink" of malware families suggests that this method is likely being sold or shared within the cybercriminal underground as a reliable evasion service.
Suggested Corrections:
Remediations from Trellix:
Behavioral detection: Advanced EDR tools employ behavioral detection to identify malicious activity. They monitor for suspicious patterns such as unusual DLL loads, abnormal process creation, and network traffic that may indicate a threat.
Application control: Through application control, strict allowlisting policies can be enforced to allow only trusted executables and their verified DLLs to run, thereby preventing unauthorized DLL sideloading.
Threat intelligence: Updated threat intelligence needs to be continuously integrated. This ensures timely awareness of emerging indicators linked to the malware campaigns.
Automated response: When suspicious activity is detected, automated workflows can swiftly contain the threat by quarantining compromised devices and shutting down malicious processes.
Endpoint hardening: Strengthening endpoint configurations by disabling obsolete DLL search paths, applying current software patches, and limiting user privileges reduces the overall attack surface.
Link(s):
https://www.trellix.com/en-au/blogs/research/hiding-in-plain-sight-multi-actor-ahost-exe-attacks/