The threat actor known as Dragon Breath has been noted for using a multi-stage loader called RONINGLOADER to deploy a modified variant of the remote access trojan named Gh0st RAT. This campaign primarily targets Chinese-speaking users and utilizes trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams, as revealed by Elastic Security Labs.
According to security researchers Jia Yu Chan and Salim Bitam, the infection chain involves multiple delivery stages employing various evasion techniques to neutralize popular endpoint security products in the Chinese market. The methods include using a legitimately signed driver, deploying custom Windows Defender Application Control (WDAC) policies, and exploiting Microsoft Defender binaries.
Known by aliases such as APT-Q-27 and Golden Eye, Dragon Breath was highlighted in May 2023 for using double-dip DLL side-loading against users in several regions, including the Philippines and Japan. This group has been active since at least 2020 and is linked to a larger Chinese-speaking entity known as Miuuti Group, which often attacks the online gaming and gambling sectors.
In its recent campaign, malicious NSIS installers posing as trusted applications launch two embedded NSIS installers: one benign that installs legitimate software, and another that triggers the attack chain. This triggers the delivery of a DLL and an encrypted file, with the DLL reading the encrypted content to release shellcode that launches another binary into memory.
RONINGLOADER aims to obliterate any user-level security measures by loading a new version of ntdll.dll while elevating its privileges. It scans running processes for well-known antivirus solutions, including Microsoft Defender and regional antivirus programs like Qihoo 360. Identified processes are terminated to facilitate the malware’s operation.
For instance, if it encounters any processes related to Qihoo 360, it takes specific steps: changing firewall settings to block all network communication, injecting shellcode into the Volume Shadow Copy (VSS) service, and using a signed driver for terminating processes.
After neutralizing security measures, RONINGLOADER executes batch scripts to bypass User Account Control (UAC) and modify firewall rules related to Qihoo 360. It also employs sophisticated techniques to disable Microsoft Defender and manipulate WDAC policies to block Chinese security vendors.
The ultimate goal of RONINGLOADER is to inject a rogue DLL into the legitimate Windows executable "regsvr32.exe," hiding its activities while executing a modified Gh0st RAT. This trojan is capable of communicating with a remote server to receive further instructions, configure Windows Registry keys, clear Event logs, execute files, and collect sensitive data, such as keystrokes and clipboard content.
Broader trends have emerged, as Palo Alto Networks’ Unit 42 identified interconnected malware campaigns that utilized large-scale brand impersonation to deliver Gh0st RAT to Chinese-speaking users. The initial campaign involved impersonating applications like i4tools, while a subsequent more advanced campaign aimed at over 40 applications across more than 2,000 domains, deploying complex, multi-stage infection chains.
This dual-strategy likely reflects a strategy to leverage older and new infrastructure, maximizing operational efficacy and testing various attack methodologies on different audiences.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.