Dragon Breath APT uses double-dip DLL sideloading strategy

An APT group tracked as Dragon Breath has been observed employing a new DLL sideloading technique.

Sophos researchers observed an APT group, tracked as Dragon Breath (aka APT-Q-27 and Golden Eye), that is using a new DLL sideloading technique that adds complexity and layers to the execution of the classic DLL sideloading.

The attack consists of a clean application, which acts as a malicious loader, and an encrypted payload. The experts observed various modifications of components over time. In the latest campaigns, a first-stage clean application “side”loads a second clean application and auto-executes it. Then the second clean application sideloads the malicious loader DLL that executes the final payload.

The threat actor has been active since 2020, it was first detailed by QiAnXin in 2020. The group is believed to be focused on organizations in the online-gambling industries and their customers. Most of the victims are Chinese-speaking Windows users engaged in online gambling, the APT group relies on Telegram to distribute the malware.

The experts also observed targets in the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China.

Sophos discovered a web site (telegramos[.]org) that claims to deliver Chinese-language versions of the Telegram application for Android, iOS, and Windows. The researchers noticed occasionally, but not consistently, the site ignored the OS choices of the visitors.

“This is the site from which the affected user is thought to have downloaded the package that caused the infection. How the user first encountered the site, whether through phishing or SEO poisoning or some other method, is beyond the scope of this investigation.” reads the report published by the security firm. “The sideloading components and the startup link are only created when the desktop Telegram link is executed.”

Upon opening the installer for the Telegram app, it creates a desktop shortcut that executes an unusual command that leads to the loading of malicious components while displaying to the victim the expected Telegram desktop UI, mostly in Chinese.

The malicious code maintains persistence by creating a shortcut file in the user’s startup directory.

The experts observed more first-stage variations using LetsVPN and WhatsApp installers.

The experts noticed that the attackers used different second-stage clean loaders for various attacks they have detected, however, the second-stage malicious loader and the final payload files are essentially the same,

The payloads support common backdoor capabilities such as downloading and executing files, running arbitrary commands clearing event logs, and extracting and setting clipboard content. The malware is also able to steal cryptocurrency from the MetaMask crypto (Ethereum) wallet extension for Google Chrome.

“DLL sideloading, first identified in Windows products in 2010 but prevalent across multiple platforms, continues to be an effective and appealing tactic for threat actors.” concludes the post. “This double-clean-app technique employed by the Dragon Breath group, targeting a user sector (online gambling) that has traditionally been less scrutinized by security researchers, represents the continued vitality of this approach.”

We are in the final!

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections where is reported Securityaffairs or my name Pierluigi Paganini

Please nominate Security Affairs as your favorite blog.

Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DLL sideloading)