Threat Actors Leveraging Microsoft Applications via DLL SideLoading – Detection & Response


DLL (Dynamic-Link Library) sideloading is a technique used by Threat Actors to infect users using legitimate applications which load malicious DLL files that spoof legitimate ones. Recently published a blog about Qakbot malware that leverages a calculator to perform DLL Sideloading.

Similarly, we came across a Twitter post wherein researchers mentioned a document file that performs DLL Sideloading using Microsoft applications such as “Teams.exe” and “OneDrive.exe.” The dropped DLL contains the C&C URL through which the malware can deliver a Cobalt-Strike beacon.

Cobalt Strike is a penetration testing product that allows Threat Actors (TAs) to deploy an agent named ‘Beacon’ on the victim machine. The Beacon provides various functionalities to TAs, including command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning, and lateral movement.

Several TAs are actively using this tool, from ransomware operators to espionage-focused Advanced Persistent Threats (APTs).

Upon analyzing the malicious doc file, we observed that it was targeting a company located in Italy that provides services such as Credit Servicing, Fund and Asset Management, and Real Estate services. The below figure shows the malicious document file content.

Technical Analysis

When opening the malicious document, it shows a security warning stating that macros have been disabled. The malware then requests the user to enable the content. Once enabled, the malicious document runs the macro code automatically in the background using the AutoOpen() function.

The malware then calls the function process(), which identifies the path of the OneDrive and Teams applications. The below figure shows the VBA macro code with the base64 decoded path of the OneDrive and Teams applications.


In the event that any of the application’s paths are identified by the malicious document, the malware drops a DLL file in that path with the name cache-XJDNSJWPFHD.tmp and renames it as iphlpapi.dll by calling the EnableContent() function as shown below.


Upon execution of the Teams application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded, as shown below. sideloaded DLL malware, which creates a mutex with the name “MSTeams.Synchronization.Primitive.2.0″ to avoid running another instance on the same machine. The malware then communicates to the C&C server using the below URL: d2xiq5m2a8wmm4.cloudfront[.]net/communications.

While monitoring the malware’s traffic, Cyble has observed the C&C communication with the same URL mentioned above.


After analyzing the C&C URL: d2xiq5m2a8wmm4.cloudfront[.]net/communications, we concluded that it executes a Cobalt-Strike on the victim’s machine.

The Cobalt-Strike Beacon can be used for malicious activities such as downloading additional payloads, lateral movement, etc.

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
Malicious Doc
Sideloaded DLL
d2xiq5m2a8wmm4.cloudfront.netURLCobalt-Strike C&C URL
hxxps://laureati-prelios.azureedge[.]net/forms/Modulo_Testimone_Universitario_v3.docURL Download URL

Detection & Response:


source="WinEventLog:*" AND (((TargetFilename="*cache-XJDNSJWPFHD.tmp" OR TargetFilename="*iphlpapi.dll") AND (TargetFilename="*\\AppData\\Local\\Microsoft\\Teams\\current\\*" OR TargetFilename="*\\AppData\\Local\\Microsoft\\OneDrive\\*")) OR ((Image="*\\Teams.exe") AND (CommandLine="*iphlpapi.dll*")))


SELECT UTF8(payload) from events where (LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and (CATEGORYNAME(category) ILIKE 'File Created' or CATEGORYNAME(category) ILIKE 'Successful File Modification')) and ((("TargetFilename" ilike '%cache-XJDNSJWPFHD.tmp' or "TargetFilename" ilike '%iphlpapi.dll') and ("TargetFilename" ilike '%\AppData\Local\Microsoft\Teams\current\%' or "TargetFilename" ilike '%\AppData\Local\Microsoft\OneDrive\%')) or (("Image" ilike '%\Teams.exe') and ("Process CommandLine" ilike '%iphlpapi.dll%')))

Elastic Query:

((file.path.text:(*cache\-XJDNSJWPFHD.tmp OR *iphlpapi.dll) AND file.path.text:(*\\AppData\\Local\\Microsoft\\Teams\\current\\* OR *\\AppData\\Local\\Microsoft\\OneDrive\\*)) OR (process.executable.text:*\\Teams.exe AND process.command_line.text:*iphlpapi.dll*))


((filemod_name:(*cache\-XJDNSJWPFHD.tmp OR *iphlpapi.dll) AND filemod_name:(*\\AppData\\Local\\Microsoft\\Teams\\current\\* OR *\\AppData\\Local\\Microsoft\\OneDrive\\*)) OR (process_name:*\\Teams.exe AND process_cmdline:*iphlpapi.dll*))


(metaclass:`windows` ((filepath:[`*cache-XJDNSJWPFHD.tmp`,`*iphlpapi.dll`] filepath:[`\AppData\Local\Microsoft\Teams\current\\`,`\AppData\Local\Microsoft\OneDrive\\`]) OR (process:`*\Teams.exe` args:`iphlpapi.dll`)))


((TargetFilename.keyword:(*cache\-XJDNSJWPFHD.tmp *iphlpapi.dll) AND TargetFilename.keyword:(*\\AppData\\Local\\Microsoft\\Teams\\current\\* *\\AppData\\Local\\Microsoft\\OneDrive\\*)) OR (Image.keyword:*\\Teams.exe AND CommandLine.keyword:*iphlpapi.dll*))


((TargetFilename IN ["*cache-XJDNSJWPFHD.tmp", "*iphlpapi.dll"] TargetFilename IN ["*\\AppData\\Local\\Microsoft\\Teams\\current\\*", "*\\AppData\\Local\\Microsoft\\OneDrive\\*"]) OR (Image IN "*\\Teams.exe" CommandLine IN "*iphlpapi.dll*"))

Microsoft Defender:

DeviceFileEvents | where (((FolderPath endswith "cache-XJDNSJWPFHD.tmp" or FolderPath endswith "iphlpapi.dll") and (FolderPath contains @"\AppData\Local\Microsoft\Teams\current\" or FolderPath contains @"\AppData\Local\Microsoft\OneDrive\")) or ((InitiatingProcessFolderPath endswith @"\Teams.exe") and (InitiatingProcessCommandLine contains "iphlpapi.dll")))

Microsoft Sentinel:

SecurityEvent |  where EventID == 11 | where (((TargetFilename endswith 'cache-XJDNSJWPFHD.tmp' or TargetFilename endswith 'iphlpapi.dll') and (TargetFilename contains @'\AppData\Local\Microsoft\Teams\current\' or TargetFilename contains @'\AppData\Local\Microsoft\OneDrive\')) or ((Image endswith @'\Teams.exe') and (CommandLine contains 'iphlpapi.dll')))

RSA Netwitness:

(((TargetFilename contains 'cache-XJDNSJWPFHD\.tmp', 'iphlpapi\.dll') && (TargetFilename contains '\AppData\\Local\\Microsoft\\Teams\\current\\\', '\AppData\\Local\\Microsoft\\OneDrive\\\')) || ((Image contains '\Teams\.exe') && (CommandLine contains 'iphlpapi\.dll')))


(_sourceCategory=*windows* AND (((("cache-XJDNSJWPFHD.tmp" OR "iphlpapi.dll") AND ("\AppData\Local\Microsoft\Teams\current\\" OR "\AppData\Local\Microsoft\OneDrive\\")) OR ((Image = "*\Teams.exe") AND (CommandLine = "*iphlpapi.dll*")))))

Source/Credits: http/

Previous articleQakbot Leveraging DLL-SideLoading to Deliver Malware – Detection & Response
Next articleAttackers Steal Internet bandwidth to Execute Proxyware
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.


Please enter your comment!
Please enter your name here