RONINGLOADER: The Stealthy Malware Disabling Security Defenses with Signed Drivers
A sophisticated cyber threat known as RONINGLOADER has emerged, specifically targeting Chinese users by employing advanced techniques to disable security defenses and deploy malicious payloads. This multi-stage loader is adept at bypassing antivirus protections, including Windows Defender and prominent Chinese security solutions like Qihoo 360 Total Security and Huorong.
Infection Vector and Initial Deployment
RONINGLOADER infiltrates systems through trojanized installers masquerading as legitimate software applications such as Google Chrome and Microsoft Teams. Upon execution, these deceptive installers initiate a dual installation process:
1. Legitimate Software Installation: To avoid suspicion, the installer proceeds to install the genuine software that the user intended to download.
2. Malware Deployment: Simultaneously, the installer discreetly deploys the malicious components of RONINGLOADER.
This method ensures that users remain unaware of the malware’s presence, as their expected software functions correctly.
Multi-Stage Infection Chain
Once inside the system, RONINGLOADER follows a complex infection chain designed to establish control and neutralize security measures:
– File Deployment: The malware creates a directory at `C:\Program Files\Snieoatwtregoable\` and places two critical files: `Snieoatwtregoable.dll` and an encrypted file named `tp.png`.
– Decryption and Execution: The DLL decrypts `tp.png` using a combination of XOR encryption and bitwise rotation, revealing additional malicious code.
– Privilege Escalation: Utilizing the `runas` command, RONINGLOADER elevates its privileges to gain administrative access.
– Security Software Enumeration: The malware scans for active security processes, specifically targeting Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security.
Exploitation of Signed Drivers
A notable aspect of RONINGLOADER’s strategy is its use of a signed driver named `ollama.sys`, which bears a legitimate digital signature from Kunming Wuqi E-commerce Co., Ltd. By leveraging this driver, the malware can terminate security processes at the kernel level, effectively bypassing standard security protocols. The process involves:
1. Driver Deployment: The malware writes `ollama.sys` to disk and creates a temporary service to load the driver.
2. Process Termination: It sends commands to the driver to terminate targeted security processes using kernel-level APIs.
3. Cleanup: Immediately after execution, the malware deletes the service to minimize traces of its activity.
Advanced Evasion Techniques
To further ensure its stealth and persistence, RONINGLOADER employs several sophisticated evasion tactics:
– Firewall Manipulation: For Qihoo 360 Total Security, the malware blocks all network connections by modifying firewall rules, preventing the security software from receiving updates or alerts.
– Code Injection: It injects malicious code into the Volume Shadow Copy service process, utilizing Windows thread pools with file write triggers to evade detection mechanisms.
Implications and Recommendations
The emergence of RONINGLOADER underscores the evolving capabilities of cyber adversaries in circumventing security defenses. By weaponizing signed drivers and implementing multi-layered evasion techniques, this malware presents a significant challenge to traditional security measures.
Recommendations for Mitigation:
1. Software Authenticity Verification: Users should download software exclusively from official and reputable sources to reduce the risk of encountering trojanized installers.
2. Regular System Updates: Keeping operating systems and security software up to date ensures that known vulnerabilities are patched, reducing the attack surface for malware.
3. Behavioral Monitoring: Implementing security solutions that focus on behavioral analysis can help detect anomalies indicative of malware activity, even when traditional signature-based detection fails.
4. Driver Integrity Checks: Organizations should monitor the loading of drivers within their systems, especially those with valid digital signatures, to detect unauthorized or suspicious activity.
By adopting a comprehensive and proactive security posture, individuals and organizations can enhance their resilience against sophisticated threats like RONINGLOADER.
