The threat actor known as Dragon Breath has been observed making use of a multi-stage loader codenamed RONINGLOADER to deliver a modified variant of a remote access trojan called Gh0st RAT.
The campaign, which is primarily aimed at Chinese-speaking users, employs trojanized NSIS installers masquerading as legitimate like Google Chrome and Microsoft Teams, according to Elastic Security Labs.
“The infection chain employs a multi-stage delivery mechanism that leverages various evasion techniques, with many redundancies aimed at neutralising endpoint security products popular in the Chinese market,” security researchers Jia Yu Chan and Salim Bitam said. “These include bringing a legitimately signed driver, deploying custom WDAC policies, and tampering with the Microsoft Defender binary through PPL [Protected Process Light] abuse.”
Dragon Breath, also known as APT-Q-27 and Golden Eye, was previously highlighted by Sophos in May 2023 in connection with a campaign that leveraged a technique called double-dip DLL side-loading in attacks targeting users in the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China.
The hacking group, assessed to be active since at least 2020, is linked to a larger Chinese-speaking entity tracked as Miuuti Group that’s known for attacking the online gaming and gambling industries.
In the latest campaign documented by Elastic Security Labs, the malicious NSIS installers for trusted applications act as a launchpad for two more embedded NSIS installers, one of which (“letsvpnlatest.exe”) is benign and installs the legitimate software. The second NSIS binary (“Snieoatwtregoable.exe”) is responsible for stealthily triggering the attack chain.
This involves delivering a DLL and an encrypted file (“tp.png”), with the former used to read the contents of the supposed PNG image and extract shellcode designed to launch another binary in memory.
RONINGLOADER, besides attempting to remove any userland hooks by loading a fresh new “ntdll.dll,” tries to elevate its privileges by using the runas command and scans a list of running processes for hard-coded antivirus-related solutions, such as Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security.
The malware then proceeds to terminate those identified processes. In the event the identified process is associated with Qihoo 360 Total Security (e.g., “360tray.exe,” “360Safe.exe,” or “ZhuDongFangYu.exe”), it takes a different approach. This step involves the following sequence of actions –
- Block all network communication by changing the firewall
- Inject shellcode into the process (vssvc.exe) associated with the Volume Shadow Copy (VSS) service, but not before granting itself the SeDebugPrivilege token
- Start the VSS service and get its process ID
- Inject shellcode into the VSS service process using the technique called PoolParty
- Load and make use of a signed driver named “ollama.sys” to terminate the three processes by means of a…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
