Preface: The most common way is Attackers place a malicious DLL in a directory that is checked before the legitimate system paths.

Because the application loading the DLL is trusted, security solutions may not flag the execution as suspicious.

Cybercriminals often use several common program instructions when creating malicious DLLs. For example, dll injection, Registry Manipulation,…etc.

Evasion Techniques:

Obfuscation: Code within the DLL is often obfuscated to avoid detection by security tools.

Steganography: Hiding malicious code within seemingly benign files.

Background: The NVIDIA NvContainer service is part of the NVIDIA graphics driver package and is responsible for various tasks, including telemetry data gathering, overlay management, and high-performance GPU scheduling. It doesn’t imply that Windows OS runs on a container runtime like Docker or Kubernetes. Instead, it refers to the way NVIDIA organizes and manages its services and processes within the driver package.

The term “container” in this context is more about how NVIDIA encapsulates its services to ensure they run efficiently and independently, rather than using a full-fledged containerization technology

Vulnerability details: NVIDIA NvContainer service for Windows contains a vulnerability in its usage of OpenSSL, where an attacker could exploit a hard-coded constant issue by copying a malicious DLL in a hard-coded path. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.

Official announcement: Please see the official link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5644