Dragon Breath APT Group Employs RONINGLOADER to Evade Security and Deploy Gh0st RAT
The cyber threat landscape has witnessed a significant escalation with the emergence of the Dragon Breath Advanced Persistent Threat (APT) group, also known as APT-Q-27 and Golden Eye. This group has been actively targeting Chinese-speaking users by deploying a sophisticated multi-stage loader named RONINGLOADER to deliver a modified variant of the notorious Gh0st RAT malware.
Sophisticated Attack Mechanism
Dragon Breath’s recent campaign involves the use of trojanized Nullsoft Scriptable Install System (NSIS) installers that masquerade as legitimate applications such as Google Chrome and Microsoft Teams. These deceptive installers serve as the initial vector for a complex infection chain designed to circumvent endpoint security measures prevalent in the Chinese market.
Upon execution, the malicious NSIS installers initiate two embedded NSIS installers. The first, named letsvpnlatest.exe, is benign and installs the legitimate software to maintain the illusion of authenticity. The second, Snieoatwtregoable.exe, clandestinely triggers the attack sequence.
Infection Chain and Evasion Techniques
The attack chain unfolds as follows:
1. DLL and Encrypted Payload Deployment: The second NSIS installer delivers a Dynamic Link Library (DLL) and an encrypted file disguised as tp.png. The DLL reads the contents of this file to extract shellcode, which is then executed in memory.
2. RONINGLOADER Activation: The extracted shellcode launches RONINGLOADER, a sophisticated loader designed to neutralize security defenses.
3. Security Tool Neutralization: RONINGLOADER employs several tactics to disable security tools:
– Userland Hook Removal: It loads a fresh instance of ntdll.dll to eliminate any userland hooks that might detect its presence.
– Privilege Escalation: Utilizing the runas command, it attempts to elevate its privileges to gain higher-level access.
– Antivirus Process Termination: The loader scans for processes associated with popular antivirus solutions such as Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. Upon identification, it terminates these processes to prevent detection.
– Advanced Termination for Qihoo 360: For Qihoo 360 Total Security, RONINGLOADER employs a more intricate approach:
– Firewall Manipulation: It blocks all network communication by altering firewall settings.
– Shellcode Injection: The loader injects shellcode into the Volume Shadow Copy Service (VSS) process (vssvc.exe) after granting itself the SeDebugPrivilege token.
– Service Manipulation: It starts the VSS service, retrieves its process ID, and uses the PoolParty technique to inject shellcode into the VSS process.
– Driver Utilization: A signed driver named ollama.sys is loaded via a temporary service called xererre1 to terminate Qihoo 360 processes.
– Firewall Restoration: After terminating the processes, it restores the firewall settings to their original state.
– Direct Termination for Other Security Processes: For other security tools, RONINGLOADER writes the driver to disk, creates a temporary service named ollama, loads the driver, terminates the processes, and then stops and deletes the service.
4. User Account Control (UAC) Bypass: With security processes neutralized, RONINGLOADER executes batch scripts to bypass UAC, allowing it to execute further actions without user intervention.
5. Firewall Rule Manipulation: The malware creates firewall rules to block inbound and outbound connections associated with Qihoo 360 security software, ensuring that the compromised system remains vulnerable.
Deployment of Gh0st RAT
With defenses disabled, RONINGLOADER proceeds to deploy a modified version of Gh0st RAT, a remote access trojan known for its extensive capabilities, including:
– Remote Control: Allows attackers to control the infected system remotely.
– Data Exfiltration: Enables the extraction of sensitive information from the compromised system.
– Keystroke Logging: Records user keystrokes to capture credentials and other confidential data.
– Screen Capture: Takes screenshots of the user’s activities.
– File Manipulation: Facilitates the uploading, downloading, and execution of files.
Historical Context and Evolution
Dragon Breath has been active since at least 2020, with previous campaigns documented by cybersecurity firms. In May 2023, Sophos highlighted the group’s use of a double-dip DLL side-loading technique targeting users in the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China. This method involved using two clean applications to load a malicious DLL, thereby evading detection.
The current campaign signifies an evolution in Dragon Breath’s tactics, showcasing a more sophisticated approach to disabling security tools and deploying malware. The use of RONINGLOADER demonstrates the group’s commitment to developing advanced methods to achieve their objectives.
Implications and Recommendations
The activities of Dragon Breath underscore the persistent threat posed by APT groups employing advanced techniques to compromise systems. Organizations, especially those with Chinese-speaking users, should implement robust security measures, including:
– User Education: Train users to recognize and avoid downloading software from untrusted sources.
– Endpoint Protection: Deploy comprehensive endpoint detection and response solutions capable of identifying and mitigating sophisticated threats.
– Regular Updates: Ensure that all software and security tools are up-to-date to protect against known vulnerabilities.
– Network Monitoring: Implement continuous monitoring to detect unusual activities that may indicate a compromise.
By adopting these measures, organizations can enhance their resilience against advanced persistent threats like Dragon Breath.
