Dragon Breath APT In Action

Researchers have spotted the APT group Dragon Breath, incorporating several complex variations of the classic DLL sideloading technique to evade detection.

The group is believed to specialize in the online-gambling space, and its participants used multiple scenarios in which the second-stage application is replaced with other clean applications.

The attackers lure victims by offering trojanized versions of popular applications such as Telegram, WhatsApp for Android, iOS, or Windows, claiming that they are customized for individuals in China. These compromised applications are believed to be advertised through BlackSEO or malvertising techniques.

Advertisements

Dragon Breath’s attack strategy involves using an initial vector that exploits a legitimate application, often Telegram, to sideload a second-stage payload, which may also be benign. This payload then sideloads a DLL malware loader that executes malicious code.

The ultimate objective is to steal cryptocurrency wallets. Therefore, the payloads used in its attacks remained relatively consistent throughout the investigation. In the second stage of the attack, whichever clean second-stage loader was employed called a particular DLL, which the attackers had placed in the same directory, using the classic DLL sideloading method. This DLL was a malicious version with the same name as the legitimate one. It then proceeded to load the payload from the file “template.txt” and decrypt it.

The encryption utilized for the payload was a simple combination of bytewise SUB and XOR. The decrypted content consisted of a loader shellcode, which decompressed and executed the final payload. The execution log of the process indicates the decompression of the final payload. Tthe shellcode loaded the final payload DLL into memory and executed it, completing the attack.

The attack is primarily aimed at Chinese-speaking Windows users situated in countries such as China, Japan, Taiwan, Singapore, Hong Kong, and the Philippines.