The Dragon Breath APT group, known for targeting the online gaming and gambling industries, has added a new layer of complexity to its attacks by adopting a novel DLL side-loading mechanism. This highly effective double-dip DLL side-loading strategy has been observed in campaigns against users in several Asian countries. Let's explore this intriguing technique and how it's being employed by the Dragon Breath group.
The Double-Clean-App Technique:
The double-dip DLL side-loading strategy employed by Dragon Breath involves a first-stage clean application that side-loads a second clean application and auto-executes it. The second clean application side-loads the malicious loader DLL, which then executes the final payload. This technique is aimed at evading detection and allows the payload to function as a backdoor for various malicious activities.
The Attack Vector:
Dragon Breath initially uses fake websites hosting trojanized installers for popular applications like Telegram, LetsVPN, and WhatsApp. When users download and open these installers, a desktop shortcut is created, which loads malicious components while displaying the application's user interface. This sophisticated method allows the group to infiltrate systems without raising suspicion.
Payload Capabilities:
The final payload is a versatile backdoor that allows the attackers to perform a range of malicious activities, including downloading and executing files, clearing event logs, extracting and setting clipboard content, running arbitrary commands, and stealing cryptocurrency from the MetaMask wallet extension for Google Chrome.
The Dragon Breath APT group's innovative double-clean-app technique demonstrates the continued vitality of DLL side-loading in the world of cyber attacks. The group's ability to target a user sector that has been traditionally less scrutinized by security researchers highlights the need for constant vigilance and robust cybersecurity measures in every industry.
Summary
The Dragon Breath APT group has adopted a novel DLL side-loading mechanism, the double-clean-app technique, to target the gambling industry. This highly effective strategy involves using trojanized installers for popular applications and a two-stage clean application process to evade detection and execute malicious payloads.
Key Terms and Definitions:
Side-loading DLLs: A technique used by attackers to load malicious Dynamic Link Library (DLL) files into legitimate processes, allowing them to execute malicious code and evade detection.
Logs: Records of events, usually related to computer systems, that can be used to monitor, analyze, and troubleshoot issues. In the context of cyber attacks, clearing event logs is a way for attackers to hide their activities.
Advanced Persistent Threat (APT): A cyber attack in which a threat actor gains unauthorized access to a network and remains undetected for an extended period, typically to steal sensitive data or cause damage.
Dragon Breath: An APT group, also known as APT-Q-27 and Golden Eye, targeting the online gaming and gambling industries. They are believed to be part of the larger Miuuti Group, a Chinese-speaking entity, and associated with other Chinese activity clusters like Dragon Castling, Dragon Dance, and Earth Berberoka.
Double-Clean-App Technique: A novel DLL side-loading mechanism used by Dragon Breath, which involves a first-stage clean application side-loading a second clean application, which then side-loads the malicious loader DLL, evading detection and executing the final payload.
What other industries might be vulnerable to similar innovative hacking techniques, and how can they strengthen their cybersecurity measures?
Comentarios