Dragon Breath APT Adopts New DLL Side-Loading Mechanism in Attacks

Sophos researcher Gabor Szappanos has revealed that Dragon Breath, a notorious advanced persistent threat (APT) actor, has adopted a new DLL side-loading mechanism to add more complexity to its attacks.

According to Szappanos, the attack is based on a classic side-loading attack consisting of a clean application, a malicious loader, and an encrypted payload with various modifications over time.

Dragon Breath APT Group’s Background and Activities

Dragon Breath, also known as APT-Q-27 and Golden Eye, was first documented by QiAnXin in 2020. The group was found to have launched a watering hole campaign designed to trick users into downloading a trojanized Windows installer for Telegram. Dragon Breath is believed to be part of a larger entity called Miuuti Group, which targets the online gaming and gambling industries.

The group has been characterized as a “Chinese-speaking” entity, joining the likes of other Chinese activity clusters like Dragon Castling, Dragon Dance, and Earth Berberoka.

Double-Dip DLL Side-Loading Strategy

The latest campaigns launched by Dragon Breath APT Group have added a new twist to the attack, where a first-stage clean application “side”-loads a second clean application and auto-executes it. The second clean application side-loads the malicious loader DLL, which then executes the final payload.

This double-dip DLL side-loading strategy has been leveraged in attacks targeting users in the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China.

Use of Tampered Installers for Other Apps

Dragon Breath is believed to have created multiple variations of the scheme, in which tampered installers for other apps, such as LetsVPN and WhatsApp, are used to initiate the attack chain. The next stage involves the use of a second clean application as an intermediate to avoid detection and load the final payload via a malicious DLL.

The payload used by Dragon Breath functions as a backdoor capable of downloading and executing files, clearing event logs, extracting and setting clipboard content, running arbitrary commands, and stealing cryptocurrency from the MetaMask wallet extension for Google Chrome.

Continued Vitality of DLL Side-Loading

According to Szappanos, DLL side-loading, first identified in Windows products in 2010 but prevalent across multiple platforms, continues to be an effective and appealing tactic for threat actors.

He added that the double-clean-app technique employed by Dragon Breath represents the continued vitality of this approach, targeting a user sector (online gambling) that has traditionally been less scrutinized by security researchers.

Initial Vector of Dragon Breath APT Attack

The initial vector of the Dragon Breath attack involves a fake website hosting an installer for Telegram. When opened, the installer creates a desktop shortcut that is designed to load malicious components behind the scenes upon launch while also displaying the Telegram app user interface.

Despite the group’s sophisticated tactics, the attempted intrusions by Dragon Breath in the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China were ultimately unsuccessful.

Dragon Breath’s adoption of the new DLL side-loading mechanism highlights the group’s increasing sophistication and complexity in its attack methods.

Security researchers urge users to remain vigilant and cautious while downloading and installing software from untrusted sources. It is important to keep all software and operating systems updated to prevent vulnerabilities that can be exploited by threat actors like Dragon Breath.