An advanced persistent threat actor (APT) known as Dragon’s Breath has been observed adding a new layer of complexity to his attacks by adopting a novel ETC side loading mechanism.
“This attack is based on the classic side-loading attack, consisting of a clean app, a malicious loader, and an encrypted payload, with various modifications made to these components over time,” Sophos researcher Gabor Szappanos said.
“The latest campaign adds a twist where the first stage clean app ‘loads’ the second clean app and runs it automatically. The second clean app loads the malicious DLL loader. After that, the rogue DLL loader executes its final payload.”
Operation Dragon Breath, also traced under the names APT-Q-27 and Golden Eye, is First documented by QiAnXin in 2020, detailing a watering hole campaign designed to trick users into downloading a trojan Windows installer for Telegram.
Dragon Breath is also said to be part of a larger entity called the Miuuti Group, with adversaries characterized as “Chinese-speaking” entities targeting the online gaming and gambling industry, joining other Chinese activity groups such as Dragon Castling, Dragon danceand Berberoka Earth.
The strategy of double-dip DLL sideloading, per Sophos, has been exploited in attacks targeting users in the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China. This infiltration attempt was ultimately unsuccessful.
The initial vector was a fake website hosting an installer for Telegram which, when opened, created a desktop shortcut designed to load a malicious component behind the scenes when launched, while also displaying the user interface of the Telegram application to the victim.
What’s more, adversaries are believed to have devised various schemes where tampered installers for other apps, such as LetsVPN and WhatsApp, were used to initiate a chain of attacks.
The next stage involves using a second clean application as an intermediary to evade detection and loading the final payload via malicious DLLs.
The payload acts as a backdoor capable of downloading and executing files, purging event logs, extracting and tuning clipboard content, executing arbitrary commands, and stealing cryptocurrency from the MetaMask wallet extension for Google Chrome.
“DLL sideloading, first identified in Windows products in 2010 but prevalent across platforms, continues to be an effective and attractive tactic for threat actors,” said Szappanos.
“This double-cleaning technique used by the Dragon Breath group, targeting a sector of users (online gambling) that has traditionally been under-researched by security researchers, represents the continued vitality of this approach.”