Full Report
Security experts have disclosed details of an active malware campaign that's exploiting a DLL side-loading vulnerability in a legitimate binary associated with the open-source c-ares library to bypass security controls and deliver a wide range of commodity trojans and stealers. "Attackers achieve evasion by pairing a malicious libcares-2.dll with any signed version of the legitimate ahost.exe (
Analysis Summary
# Vulnerability: DLL Side-Loading in c-ares Library Associated Binary (ahost.exe)
## CVE Details
- CVE ID: Not explicitly provided in the source text.
- CVSS Score: Not explicitly provided in the source text.
- CWE: Likely related to CWE-937: Improper Restriction of Pathname Validation or Resolution (if related to poor search path handling) or CWE-426: Untrusted Search Path (related to DLL loading).
## Affected Systems
- Products: Legitimate binary `ahost.exe` associated with the open-source **c-ares library** implementation. The vulnerable `ahost.exe` binary mentioned is signed by **GitKraken** (and likely used in GitKraken's Desktop application).
- Versions: Specific vulnerable versions of `c-ares` or the application bundling `ahost.exe` are not detailed. The attack relies on the DLL search path weakness present during execution.
- Configurations: Requires an attacker to place a malicious `libcares-2.dll` in the same directory where the legitimate, signed `ahost.exe` resides or will be executed from.
## Vulnerability Description
The vulnerability is a **DLL Side-Loading** flaw. Threat actors leverage the loading mechanism of the legitimate `ahost.exe` binary (associated with the c-ares library, often distributed via GitKraken). By placing a malicious `libcares-2.dll` in the execution path (usually alongside the target executable), the operating system loads the malicious DLL instead of the legitimate one due to the application's vulnerability to search order hijacking. This grants the threat actor arbitrary code execution under the context of the signed, trusted `ahost.exe`.
## Exploitation
- Status: **Exploited in the wild**. A widespread active malware campaign is utilizing this technique.
- Complexity: **Low** (once the configuration is set up – placing the malicious DLL next to the legitimate binary).
- Attack Vector: **Local**. Exploitation often requires user interaction (e.g., opening a dropper disguised as an invoice or RFQ file) to launch the legitimate executable alongside the malicious DLL.
## Impact
- Confidentiality: **High**. Used to deploy stealers (Vidar, Agent Tesla, Formbook) and RATs capable of data theft.
- Integrity: **High**. Allows for execution of unauthorized, persistent malware.
- Availability: **Medium/High**. Deployment of RATs and trojans can lead to system instability or full compromise.
## Remediation
### Patches
- No specific patch version details are available in the source text. Remediation requires updates to the c-ares library implementation or the application bundling `ahost.exe` (e.g., GitKraken Desktop) to correctly specify DLL loading paths, preventing search order hijacking.
### Workarounds
- **Application Whitelisting/Hardening:** Verify that `ahost.exe` is only executed from its known, expected installation directory, limiting the ability of dropper files to place rogue DLLs nearby.
- **Restrict User Execution:** Improve awareness regarding suspicious files (e.g., those named like invoices/RFQs but having an `.exe` extension) that rely on trusted application components.
## Detection
- Forensic analysis should look for the presence of a **malicious `libcares-2.dll`** alongside a legitimate, signed **`ahost.exe`** binary.
- Malware observed being dropped includes: Agent Tesla, CryptBot, Formbook, Vidar Stealer, Remcos RAT, Quasar RAT, DCRat, and XWorm.
- Detection involves monitoring API calls related to dynamic library loading originating from the `ahost.exe` process, especially if the loaded DLL deviates from expected system libraries.
- **File hashes/names indicators:** Examine executables named like "RFQ_NO_04958_LG2049 pdf.exe," "PO-069709-MQ02959-Order-S103509.exe," etc.
## References
- Vendor Advisory (Trellix Report): hxxps://www.trellix.com/en-au/blogs/research/hiding-in-plain-sight-multi-actor-ahost-exe-attacks/
- c-ares Library Development Page: hxxps://c-ares.org/
- General DLL Side-Loading Info: hxxps://cloud.google.com/blog/topics/threat-intelligence/abusing-dll-misconfigurations