Threat Intel Digest

January 2020

Crossing the Bridge to Anonymous Surfing

Tor networks and Tor browsers are the primary tools that attackers use to hide their online activities. Attackers can use Tor to connect to a hidden command-and-control server for information exfiltration or other malicious actions.

A main feature of a Tor network is to hide how connections are established, and volunteer machines worldwide are connected without the need to know where the packets are coming from or going to. In order to stop malicious activities, the locations of volunteer machines are needed, and it's challenging to determine the locations. Volunteer machines are sometimes called nodes. The Tor network includes two major types of nodes: normal relay nodes and bridge relay nodes. Normal relay nodes are listed in the Tor directory, but bridge relay nodes are not. It is more difficult to monitor bridge relay nodes than normal relay nodes, but some tricks and techniques are available to determine the bridge locations.


The Right Way to Order a DLL

DLL Search Order Hijacking is one of the attack techniques that takes advantage of how applications load DLLs (dynamic link library) on a Windows operating system. DLLs are library files that contain functions required by particular applications. Different applications need different collections of DLL, such as kernel.dll, user32.dll, and so on.

Most applications use a combination of shared DLLs and unique DLLs that only work for a particular program. DLL files are commonly located in the %system% folder for a Windows operating system, and Windows determines the order of DLLs used by an application when it is executed. When an application is executed, it checks its folder first before the %system% folder. For the attack to be successful, the attacker must find a way to place a malicious DLL within the application's folder. Once an application is executed, it finds the DLL in its own folder first and ignores the clean DLL from the %system% folder. Using proper escalation of privilege, it is easy to add a malicious DLL in any application's folder.