DLL side-loading remains a popular technique for malware developers because it offers a lot of potential for detection evasion by masking its execution with legitimate software execution. This problem can be approached in a number of ways. Organizations may find application whitelisting and disabling installation by unprivileged users via group policy to be useful in mitigating this threat. EDR and SIEM tools also provide very valuable insight into anomalous software installations and executions in an organization’s environment. From a software development standpoint, Microsoft has a very useful article describing best practices when creating software that loads DLL files: https://support.microsoft.com/en-us/topic/secure-loading-of-libraries-to-prevent-dll-preloading-attacks-d41303ec-0748-9211-f317-2edc819682e1
In the case of the delivery of the file-less version of LODEINFO via VBA scripts in Office documents, there are some mitigations in place by default in Windows such as the Mark-of-the-Web security feature that will cause a warning to be displayed to the user upon opening an Office document containing macros. It is recommended that organizations review the usage of Microsoft Office documents with VBA scripts in their environments, and determine the possibility of simply disabling macros in Office documents entirely via group policy.
https://www.bleepingcomputer.com/news/security/hacking-group-abuses-antivirus-software-to-launch-lodeinfo-malware/
