Full Report
A year and a half ago I wrote a blog post describing how browsers’ cache system can be abused to drop malware on targets’ computers. As of today, this technique is still relevant. Browsers haven’t changed their behaviour and as such you can still use it for red team assessments.
Analysis Summary
# Tool/Technique: Browser Cache Smuggling (Weaponized)
## Overview
This technique abuses the way web browsers handle and store cached content to deliver and execute malware on a target's system. The initial step involves leveraging cache mechanisms to "smuggle" a malicious file (like a DLL) into a predictable file path accessible by the browser. The weaponized version focuses on leveraging this delivered DLL by subsequently loading it using legitimate, frequently run applications like Microsoft Teams or OneDrive, exploiting DLL search order vulnerability (Search Order Hijacking) within their local application data directories.
## Technical Details
- Type: Technique (Dropper/Delivery mechanism combined with DLL Hijacking)
- Platform: Windows (Targeting processes like Microsoft Teams and OneDrive installed in user writable locations)
- Capabilities: Remote code execution via process injection/hijacking, C2 communication hiding within legitimate application HTTPS traffic.
- First Seen: Technique described previously; weaponization detailed here demonstrated relevance as of 2025 context.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (Implied delivery via unpatched browser/user action leading to cache drop)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File (User interaction needed to trigger cache-related action or initial download)
- T1055 - Process Injection (Implied when bypassing initial `rundll32` approach)
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder (Not explicitly used in the final payload delivery, but related to initial setup)
- **TA0005 - Defense Evasion**
- T1036.005 - Match Legitimate Name or Location (Hijacking DLLs in predictable locations)
- **TA0004 - Privilege Escalation** (If necessary user privileges allow modification of the target directory)
- T1574.001 - DLL Search Order Hijacking (Core mechanism for running the smuggled payload via Teams/OneDrive)
## Functionality
### Core Capabilities
- **Malicious Payload Delivery (Smuggling):** Using browser cache mechanisms to place a malicious file (e.g., a DLL) into the browser's cache directory for a Windows user.
- **DLL Proxy Creation:** Compiling a malicious DLL (like `VERSION.dll`) that executes the primary beacon/malware, and then forwards necessary legitimate API calls back to the original, legitimate DLL to ensure the host application (Teams/OneDrive) functions normally.
- **Exploiting Search Order:** Placing the malicious proxy DLL into a user-writable directory (`localappdata`) used by target applications (like Teams) that load DLLs during startup according to the Windows Search Order.
### Advanced Features
- **OpSec Improvement:** Moving away from suspicious processes like `powershell.exe` and `rundll32.exe` towards embedding the malware within legitimate, high-trust applications (Teams, OneDrive).
- **C2 Hiding:** Utilizing the existing, whitelisted HTTPS tunnels established by applications like Teams/OneDrive for beacon communication, blending traffic with legitimate application activity.
## Indicators of Compromise
- File Hashes: [Not provided in the scope of the technique description]
- File Names: `VERSION.dll` (Example of the forged proxy DLL).
- Registry Keys:
- `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\ChromeClearBrowingDataOnExitList` (Used for mitigation, specifically setting `cached_image_and_files`)
- Network Indicators: C2 communication originating from processes associated with Microsoft Teams or OneDrive that would normally communicate only with organizational endpoints.
- Behavioral Indicators:
- Processes other than legitimate browsers attempting to access files within browser cache directories.
- Microsoft Teams attempting to load an exported function from a DLL located in `%LOCALAPPDATA%` paths that does not match expected behavior or signing.
## Associated Threat Actors
- [Not explicitly named in the context, but characterized as groups employing sophisticated delivery and low-visibility methods.]
## Detection Methods
- Signature-based detection: [Specific signatures for the forged DLL not provided]
- Behavioral detection: Monitoring any process *other than* the legitimate browser instances or core OS components attempting sequential access to browser cache files.
- YARA rules: [Not provided]
## Mitigation Strategies
- **Application Control:** Restrict usable scripting engines (PowerShell, Python, Docker, VirtualBox) using AppLocker or Intune Windows Defender Application Control.
- **PowerShell Hardening:** Force execution policies requiring scripts to be signed by the company's internal Certificate Authority (CA).
- **Installation Location Policy:** Avoid installing applications, if possible, into user writable directories like `%LOCALAPPDATA%`, as this allows standard users to modify loaded components.
- **Cache Flushing (Primary Mitigation):** Configure Group Policy Objects (GPOs) to force major browsers (like Chrome) to flush their caches upon session/application exit.
- For Chrome, configure the registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\ChromeClearBrowingDataOnExitList` with the string value `cached_image_and_files`. This ensures the smuggled DLL is erased upon closing the browser, precluding execution.
## Related Tools/Techniques
- DLL Search Order Hijacking (T1574.001)
- Application Shimming/Hijacking
- Browser Cache Manipulation