Where Cyberattacks Started: A Poisoned DLL

Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack...

Figure 4. The inserted malicious code runs within a parallel thread.

> The modification to this function is very lightweight and could be easily overlooked—all it does is to execute the method OrionImprovementBusinessLayer.Initialize within a parallel thread, so that the normal execution flow of RefreshInternal is not altered.

Microsoft 365 Defender Research Team Microsoft Threat Intelligence Center page ...


Notice what the code really does: Allows hackers a backdoor to 'elevate privileges' [hello object-capabilities...]

> As we’ve seen in past human-operated attacks, once operating inside a network, adversaries can perform reconnaissance on the network, elevate privileges, and move laterally. Attackers progressively move across the network until they can achieve their goal, whether that’s cyberespionage or financial gain.