HQ/EMEAFind out how we can help your business
Dragon Breath, an APT known as Golden Eye Dog and APT-Q-27, has executed a new malicious operation that leverages various DLL sideloading techniques to bypass security detections.
Based on reports, the threat operators deceive their victims by offering cracked and compromised versions of popular apps such as Telegram, WhatsApp, and LetsVPN. The actors endorse these apps as customised versions for Chinese users. Moreover, researchers claimed that the threat actors advertise these applications via malvertising techniques and BlackSEO.
Dragon Breath APT operators exploit legitimate applications to execute their sideloading campaigns.
According to investigations, the Dragon Breath APT group uses an initial vector that leverages a legitimate app, like Telegram, to sideload a payload. The malicious payload could then sideload a DLL malware loader that runs malicious codes.
The primary objective of the advanced persistent threat group in their attacks is to steal cryptocurrency wallets. Hence, the payloads for the attacks remained consistent throughout different attack samples from the group.
In the next phase of the operation, the threat actors place the same directory, whichever clean second-stage loader was employed during a particular DLL. This method is a class DLL sideloading process.
The DLL for the second attack is a malicious version with the same name as the legitimate one. The operation then decrypts the payload from the file template[.]txt.
The encryption process used by the actors for the payload is a simple mixture of bytewise XOR and SUB. Subsequently, the decrypted content that stores a loader shellcode will decompress and runs the final payload. The execution log of the process describes the decompression of the final payload. The shellcode loads and runs the last payload DLL, which completes the attack process.
The threat actor’s usage of DLL sideloading has been an efficient tactic that attracted different threat groups. However, the technique recently gained prominence despite being an established tactic for over a decade.
The Dragon Breath group will continue to use this double sideloading technique for targeting the online gambling industry since it is a platform that security researchers prioritise less.
