Where Cyberattacks Started: A Poisoned DLL

Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack...

Figure 4. The inserted malicious code runs within a parallel thread.

> The modification to this function is very lightweight and could be easily overlooked—all it does is to execute the method OrionImprovementBusinessLayer.Initialize within a parallel thread, so that the normal execution flow of RefreshInternal is not altered.

Microsoft 365 Defender Research Team Microsoft Threat Intelligence Center page ...


Notice what the code really does: Allows hackers a backdoor to 'elevate privileges' [hello object-capabilities...]

> As we’ve seen in past human-operated attacks, once operating inside a network, adversaries can perform reconnaissance on the network, elevate privileges, and move laterally. Attackers progressively move across the network until they can achieve their goal, whether that’s cyberespionage or financial gain.

See, also