Threat Actors Exploiting DLL Side-Loading Vulnerability in Google Chrome to Execute Malicious Payloads
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Cybersecurity researchers have identified a concerning new attack vector where threat actors are actively exploiting a vulnerability in Google Chrome version 133.0.6943.126 through DLL side-loading techniques.
This sophisticated attack allows malicious code execution through Chrome’s trusted subprocesses, creating a significant security risk for users worldwide.
DLL side-loading occurs when attackers exploit the way Windows applications load Dynamic Link Libraries (DLLs). The technique takes advantage of the Windows search order, allowing malicious DLLs to be loaded instead of legitimate ones.
In this case, the Threatmon report states that attackers target Chrome’s processes by replacing the legitimate chrome_elf.dll file with a malicious counterpart.
“DLL search order hijacking is one of the most common methods of DLL sideloading that occurs when an attacker places a malicious DLL with the same name as a legitimate DLL in a location that is searched before arriving at the legitimate DLL’s path,” explains Securonix Threat Research.
When Chrome runs, it unknowingly loads the attacker’s DLL, executing malicious code with the browser’s trusted permissions.
DLL Side-Loading Vulnerability in Google Chrome
The exploit leverages a vulnerability in Chrome’s latest version (133.0.6943.126), which was released in February 2025.
While Google has released security updates addressing other high-severity vulnerabilities in Chrome 133, this specific DLL side-loading vulnerability appears to remain exploitable.
The attack uses a sophisticated technique known as DLL proxying, where the malicious DLL acts as a proxy intercepting function calls from the executable and forwarding them to a legitimate DLL.
This ensures the application maintains normal behavior while allowing the malicious code to execute undetected.
Security analysts have noted the attack’s implementation is particularly sophisticated:
A notable aspect of this attack is using Nim programming language to develop the malicious code.
Nim is an uncommon choice for malware development but provides several advantages to attackers, including evading signature-based detections and impeding analysis by security researchers unfamiliar with the language.
This attack represents a concerning evolution in threat tactics. DLL side-loading has been documented since at least 2010, but its application against widely used software like Chrome demonstrates how attackers continue to refine established techniques.
The vulnerability affects Chrome version 133.0.6943.126 for Windows, macOS, and Linux. Users are strongly encouraged to update their browsers immediately and implement additional security measures.
Mitigations
Security experts recommend several protective measures:
With these attacks’ increasing sophistication, organizations must remain vigilant and proactive in their security approach to protect against this evolving threat landscape.
#Chrome #Cyber_Security #Cyber_Security_News #Google #Threats #Vulnerability
Оригинальная версия на сайте:
Threat Actors Exploiting DLL Side-Loading Vulnerability in Google Chrome to Execute Malicious Payloads
Author: Guru BaranCybersecurity researchers have identified a concerning new attack vector where threat actors are actively exploiting a vulnerability in Google Chrome version 133.0.6943.126 through DLL side-loading techniques.
This sophisticated attack allows malicious code execution through Chrome’s trusted subprocesses, creating a significant security risk for users worldwide.
DLL side-loading occurs when attackers exploit the way Windows applications load Dynamic Link Libraries (DLLs). The technique takes advantage of the Windows search order, allowing malicious DLLs to be loaded instead of legitimate ones.
In this case, the Threatmon report states that attackers target Chrome’s processes by replacing the legitimate chrome_elf.dll file with a malicious counterpart.
“DLL search order hijacking is one of the most common methods of DLL sideloading that occurs when an attacker places a malicious DLL with the same name as a legitimate DLL in a location that is searched before arriving at the legitimate DLL’s path,” explains Securonix Threat Research.
When Chrome runs, it unknowingly loads the attacker’s DLL, executing malicious code with the browser’s trusted permissions.
DLL Side-Loading Vulnerability in Google Chrome
The exploit leverages a vulnerability in Chrome’s latest version (133.0.6943.126), which was released in February 2025.
While Google has released security updates addressing other high-severity vulnerabilities in Chrome 133, this specific DLL side-loading vulnerability appears to remain exploitable.
The attack uses a sophisticated technique known as DLL proxying, where the malicious DLL acts as a proxy intercepting function calls from the executable and forwarding them to a legitimate DLL.
This ensures the application maintains normal behavior while allowing the malicious code to execute undetected.
Security analysts have noted the attack’s implementation is particularly sophisticated:
- The malicious DLL creates a persistent backdoor that continues operating even after Chrome is closed
- Detection rates remain extremely low, with security tools identifying the malicious DLL in only 2 out of 70 scans
- The malware employs anti-detection techniques to evade analysis
A notable aspect of this attack is using Nim programming language to develop the malicious code.
Nim is an uncommon choice for malware development but provides several advantages to attackers, including evading signature-based detections and impeding analysis by security researchers unfamiliar with the language.
This attack represents a concerning evolution in threat tactics. DLL side-loading has been documented since at least 2010, but its application against widely used software like Chrome demonstrates how attackers continue to refine established techniques.
The vulnerability affects Chrome version 133.0.6943.126 for Windows, macOS, and Linux. Users are strongly encouraged to update their browsers immediately and implement additional security measures.
Mitigations
Security experts recommend several protective measures:
- Update Chrome to the latest version immediately
- Deploy endpoint detection solutions capable of identifying DLL side-loading
- Use application whitelisting to prevent unauthorized DLL loading
- Monitor system processes for unexpected behavior after closing Chrome
With these attacks’ increasing sophistication, organizations must remain vigilant and proactive in their security approach to protect against this evolving threat landscape.
#Chrome #Cyber_Security #Cyber_Security_News #Google #Threats #Vulnerability
Оригинальная версия на сайте:
