Go to listing page

Dragon Breath APT Uses Double DLL Sideloading Tactic

Dragon Breath APT Uses Double DLL Sideloading Tactic
An APT hacking group known as "Dragon Breath," "Golden Eye Dog," or "APT-Q-27" is demonstrating a new trend of using several complex variations of the classic DLL sideloading technique to evade detection, spotted experts at Sophos. 

The group is believed to specialize in the online-gambling space and its participants. These actors liked this two-clean-apps scenario so much that they used multiple scenarios in which the second-stage application is replaced with other clean applications.

Laying the bait

The attackers entice victims by offering trojanized versions of popular applications such as Telegram, LetsVPN, or WhatsApp for Android, iOS, or Windows, claiming that they are customized for individuals in China. These compromised applications are believed to be advertised through BlackSEO or malvertising techniques.

Attack strategy

Dragon Breath’s attack strategy involves using an initial vector that exploits a legitimate application, often Telegram, to sideload a second-stage payload, which may also be benign. This payload then sideloads a DLL malware loader that executes malicious code.

Who is impacted?

The group's targeting strategy is primarily aimed at Chinese-speaking Windows users situated in countries such as China, Japan, Taiwan, Singapore, Hong Kong, and the Philippines.

Coming to the DLL sideloading part

The ultimate objective of the APT group's attack is to steal cryptocurrency wallets. Therefore, the payloads used in its attacks remained relatively consistent throughout the investigation.
  • In the second stage of the attack, whichever clean second-stage loader was employed called a particular DLL, which the attackers had placed in the same directory, using the classic DLL sideloading method. 
  • This DLL was a malicious version with the same name as the legitimate one. It then proceeded to load the payload from the file "template.txt" and decrypted it.

Encryption and dropping the final payload

  • The encryption utilized for the payload was a simple combination of bytewise SUB and XOR. The decrypted content consisted of a loader shellcode, which decompressed and executed the final payload. The execution log of the process indicates the decompression of the final payload.
  • Subsequently, the shellcode loaded the final payload DLL into memory and executed it, completing the attack.

The bottom line

The use of DLL sideloading has remained a successful and attractive strategy for threat actors, despite being first discovered in Windows products in 2010 and being prevalent across various platforms. The Dragon Breath group's use of the double-clean-app technique, which targets the online gambling industry, an area that security researchers have historically scrutinized less, demonstrates the continued efficacy of this approach.
Cyware Publisher

Publisher

Cyware