Persistent malware WordDrone exploits DLL Side-Loading to compromise Taiwan's drone industry

Outdated software can be targeted in complex attacks

News By Efosa Udinmwen published 5 October 2024

A recent investigation by Acronis Threat Research Unit (TRU) has revealed an intricate attack which utilized an old version of Microsoft Word as a conduit for installing a persistent backdoor on infected systems.

WordDrone focuses on companies in Taiwan, particularly those involved in the drone manufacturing industry. The investigation revealed that the malware had been installed on systems in companies working in Taiwan's growing drone industry, which has seen significant government investment since 2022.

Taiwan's strategic position in both the technological and military sectors likely made these organizations attractive targets for espionage or supply chain attacks.

Microsoft Word vulnerabilities

The attackers use a technique known as DLL side-loading to install malware through a compromised version of Microsoft Word 2010. It installs three primary files to the target system which are a legitimate copy of Winword (Microsoft Word), a maliciously crafted wwlib.dll file, and a file with a random name and extension.

The legitimate Winword application is used to side-load the malicious DLL, which serves as a loader for the actual payload hidden within the encrypted random-named file.

DLL side-loading is a technique that exploits how Windows applications load libraries. In this case, the attackers take advantage of an older version of Microsoft Word, which had a vulnerability allowing it to load a malicious DLL file disguised as a legitimate part of the Microsoft Office installation. The malicious wwlib.dll file acts as a loader, decrypting and executing the actual malware payload hidden in another encrypted file. This use of DLL side-loading makes it difficult for traditional security tools to detect the attack.

The attackers go as far as digitally signing some of the malicious DLLs with certificates that had only recently expired. This tactic allows the malware to evade detection by security systems that fully trust signed binaries.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors