Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Topic: In the wild (from illicit source): Mp3tag with malicious fake TAK lib  (Read 1521 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

In the wild (from illicit source): Mp3tag with malicious fake TAK lib

The release note for Mp3tag 3.27 four weeks ago (there is a hotfix 3.27a out after that): https://community.mp3tag.de/t/mp3tag-v3-27-released/65520

Someone created a fake malicious tak_deco_lib.dll and distributed it with Mp3tag.
The issue in itself was not too damaging, but it is worth taking note that TAK in itself is considered "big enough" to make a forgery of it. And TAK isn't that big, so one might expect them to try a bigger fish next time.
And "next time" might already be out in the wild.


It is easy to keep your Mp3tag safe from this one: upgrade, and the new won't use that dll (neither the fake nor the official).
And to those who wonder "how could that happen?": It isn't that weird.

Re: In the wild (from illicit source): Mp3tag with malicious fake TAK lib

Reply #1
Not ITW malware, just a PoC!

Re: In the wild (from illicit source): Mp3tag with malicious fake TAK lib

Reply #2
Interesting stuff, let's check:
https://nvd.nist.gov/vuln/detail/CVE-2024-7193

A vulnerability has been found in Mp3tag up to 3.26d and classified as problematic. This vulnerability affects unknown code in the library tak_deco_lib.dll of the component DLL Handler. The manipulation leads to uncontrolled search path. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. Upgrading to version 3.26e is able to address this issue. It is recommended to upgrade the affected component. VDB-272614 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early, responded in a very professional manner and immediately released a fixed version of the affected product.

(I found a couple other pages with this CVE but they all basically copypasted the same text)

So, if I read this correctly:
This dll has poor file path validation somewhere, but I don't see a mention of "malicious" or "fake" anywhere. It talks about a vulnerability, possibly a bug in the original/legit dll, but no implication that it was planted intentionally.
Is this CVE summary incomplete perhaps?
Is the post author at mp3tag.de perhaps confused with translation or using some additional knowledge that we do not have?
Do you perhaps have links to such knowledge?
a fan of AutoEq + Meier Crossfeed

Re: In the wild (from illicit source): Mp3tag with malicious fake TAK lib

Reply #3
Is the post author at mp3tag.de perhaps confused with translation or using some additional knowledge that we do not have?

Since it was posted by the developer himself, I am quite sure he has "knowledge we do not have"  ;)

Re: In the wild (from illicit source): Mp3tag with malicious fake TAK lib

Reply #4
Makes sense, would be interesting to see more after more is allowed to be shared!
a fan of AutoEq + Meier Crossfeed

Re: In the wild (from illicit source): Mp3tag with malicious fake TAK lib

Reply #5
To be fair, I don't know anything about this stuff, but I found this: https://nsaneforums.com/topic/457388-frontpaged-mp3tag-326e-beta/

Quote
CHG: added checks for integrity and manual loading of tak_deco_lib.dll for handling TAK files to prevent DLL side-loading.

The term "DLL side-loading" is key here I think.

So, I presume the mp3tag executable and own DLL are signed, but the TAK DLL isn't. So, by replacing the DLL, it is possible to have a trusted, signed application (which might subject to less scrutiny from malware scanners perhaps?) run untrusted, unsigned code.

Or maybe not?
Music: sounds arranged such that they construct feelings.

Re: In the wild (from illicit source): Mp3tag with malicious fake TAK lib

Reply #6
I just sent an email to the author of Mp3tag asking him for clarification.

Re: In the wild (from illicit source): Mp3tag with malicious fake TAK lib

Reply #7
Thanks to the author of Mp3tag for the quick reply!

It was actually possible DLL side-loading by Mp3tag. There is no evidence that an error was triggered in tak_deco_lib.dll.

Re: In the wild (from illicit source): Mp3tag with malicious fake TAK lib

Reply #8
The issue was that Mp3tag automatically did load a tak_deco_lib.dll located in the program directory and - iff

1. modified by a malicious third party and
2. distributed via a modified archive and
3. installed by a trusting user

could then execute problematic code. At no point was the official setup compromised.

The current version of Mp3tag no longer has any dependencies on this DLL, i.e. it is no longer loaded when Mp3tag is started. This was possible because I have implemented everything I need for TAK myself.

So it was not the tak_deco_lib.dll by TBeck, but only a DLL with the name of this DLL. Ultimately, all programs that link to a DLL and load it automatically are theoretically affected. In the meantime, I had taken a detour via manual checking of the file hash and subsequent LoadLibrary (cf. the quote from the changelog above), but then ended up with my own solution (thanks for the .pas file in the TAK SDK with the good documentation of the format!).

TLDR;: It had nothing to do with TAK, but the attacker chose to modify the tak_deco_lib.dll to load malicious code when this DLL was loaded into memory.

Re: In the wild (from illicit source): Mp3tag with malicious fake TAK lib

Reply #9
Many thanks!

Re: In the wild (from illicit source): Mp3tag with malicious fake TAK lib

Reply #10
Yeah, even if "a fake malicious tak_deco_lib.dll" should be clear that it isn't thre real thing, I would have explained better to non-technical users by e.g. "a fake malicious .dll and named it tak_deco_lib.dll"

But in any case we now know that you do not need to be a world-dominating codec for this to happen. TAK is apparently big enough.

@Florian : Anything that indicates that this was more than a "look what I can do!" proof of concept?

 

Re: In the wild (from illicit source): Mp3tag with malicious fake TAK lib

Reply #11
Quote
But in any case we now know that you do not need to be a world-dominating codec for this to happen. TAK is apparently big enough.
This issue might not be directly related to the codec at all. It could have happened with any DLL that Mp3tag (or any program) automatically loads.

Quote
Anything that indicates that this was more than a "look what I can do!" proof of concept?
I've asked the person who initially reported the issue for more information on and sources of those malicious archives but haven’t received any concrete leads. However, I did notice during that timeframe that the official Mp3tag.exe was more frequently included in archives or installers flagged as malicious (see "Execution Parents" in this VirusTotal report) .
In the long term, this can negatively impact a file's reputation with virus scanners, so it's not something I can ignore — even if it was just a proof of concept.

Unfortunately, all this didn't prevent another follow-up issue: the MalwareBytes AI scanner is apparently fed by CVE data and decided to quarantine tak_deco_lib.dll files (which were valid and unmodified) of MalwareBytes users over the course of two days. This turned into another time sink and a weekend lost to answering emails of concerned users, who thought that they suddenly have a trojan hidden in their existing Mp3tag installation — which was working just fine up to that point. Eventually, they corrected the false positive and all went back to normal.