What is sideloading?
Sideloading is the installation of software from a third party rather than an approved source, for example applications that are not available from official vendors or app stores. This hack is creating yet another valuable opportunity for cybercriminals.
What makes sideloading a security risk?
Applications from third-party sources may not have been security tested and can be malicious in nature, meaning that users can be exposed to threats simply by installing the application on their devices. Not surprisingly, sideloading was described as “a cyber criminal’s best friend” by Apple’s senior vice president, Craig Federighi, at Web Summit 2021.
Typically, these applications are downloaded following some form of social engineering attack via a phishing email or pop-up advertisement. Users may also download a ‘free’ or ‘cracked’ version of a piece of software which can contain malicious code.
How sideloading is used to deliver ransomware
One method of sideloading attack recently observed in the wild is WizardUpdate. The application masquerades as a legitimate application such as Adobe Flash Player. Originally, the application was a reconnaissance tool, used to gather only system information and relay this back to a command-and-control (C2) server. However, it has now developed to include the functionality to avoid macOS gatekeeper protection, loading other programs from within the application such as Adware and Malware and changing system settings.
If a sideloaded application contains malware which allows remote access to an attacker, this access is typically sold onto ransomware groups, who will use the initial foothold to commence lateral movement, privilege escalation and eventually deploy ransomware.
Another recent sideloading attack which was identified involves threat actors known for spreading malware such as Trickbot and BazarLoader taking advantage of a feature that Microsoft introduced in June 2021 to allow users to install Windows 10 apps from a webpage.
The impact of sideloading attacks
Sideloading application attacks can lead to organisations becoming compromised and unable to access data unless a ransom is paid or having their confidential data exfiltrated. Sideloaded applications present a risk similar to that of email-borne malware, apart from the fact that the initial infection method is likely subject to fewer security controls.
Key steps for protecting your organisation from sideloading attacks
- Consider limiting user rights via a Group Policy to prevent non-system administrators downloading and installing PUP (Potentially Unwanted Program) on corporate devices.
- Ensure software is only downloaded and installed directly from the vendor’s website or app store, instead of third-party sites, by employing applications to allow listing to a set of approved applications.
- Provide regular awareness sessions to ensure employees are aware of the potential risks.
- Consider investing in a security solution, such as Endpoint Detection and Response (EDR) and Next Generation AntiVirus (NGAV), which can continuously monitor and block all threats coming from devices.
Redscan’s Managed Endpoint Detection and Response (EDR) service significantly enhances visibility of attacks targeting endpoint devices, supplying an experienced team of threat hunters, with the latest EDR technology and threat intelligence to identify threats that other controls can miss.