Dragon Breath's Sneaky Tactics: Unleashing Gh0st RAT with RONINGLOADER's Deception
A sophisticated threat actor, Dragon Breath, has unleashed a cunning attack, exploiting a multi-stage loader named RONINGLOADER to deliver a modified version of the notorious Gh0st RAT. But here's where it gets intriguing: this campaign specifically targets Chinese-speaking users, employing deceptive tactics to infiltrate their systems.
According to Elastic Security Labs, the attack involves trojanized NSIS installers disguised as legitimate software like Google Chrome and Microsoft Teams. These installers initiate a multi-stage delivery process, employing various evasion techniques to neutralize popular endpoint security products in the Chinese market. Security researchers Jia Yu Chan and Salim Bitam revealed that this includes using a legitimately signed driver, implementing custom WDAC policies, and manipulating the Microsoft Defender binary through PPL abuse.
Dragon Breath, also known by the aliases APT-Q-27 and Golden Eye, was previously identified by Sophos in May 2023 for their involvement in a campaign using double-dip DLL side-loading to target users in several Asian countries. This hacking group has been active since at least 2020 and is linked to a larger Chinese-speaking entity, Miuuti Group, known for attacking the online gaming and gambling industries.
In the latest campaign, the malicious NSIS installers act as a gateway to two more embedded installers. One installer, letsvpnlatest.exe, is benign, while the other, Snieoatwtregoable.exe, initiates the stealthy attack. This involves delivering a DLL and an encrypted file, tp.png, which is used to extract shellcode to launch another binary in memory.
RONINGLOADER, a key player in this attack, attempts to remove userland hooks by loading a fresh ntdll.dll and elevating its privileges. It scans for specific antivirus solutions and terminates their processes, employing a unique approach for Qihoo 360 Total Security. This includes blocking network communication, injecting shellcode into the VSS service process, and using a signed driver to terminate processes via a temporary service.
Once security processes are disabled, RONINGLOADER executes batch scripts to bypass UAC and create firewall rules to block Qihoo 360 security software connections. It also abuses PPL and the Windows Error Reporting system to disable Microsoft Defender Antivirus and targets WDAC by writing a malicious policy. The ultimate goal is to inject a rogue DLL into a legitimate Windows binary, regsvr32.exe, to launch the modified Gh0st RAT into high-privilege system processes.
This Gh0st RAT variant is designed for remote control, fetching instructions to manipulate the system, clear logs, download files, alter clipboard data, run commands, inject shellcode, and execute payloads. It also captures keystrokes, clipboard content, and foreground window titles.
In a related development, Palo Alto Networks Unit 42 uncovered two interconnected campaigns using brand impersonation to deliver Gh0st RAT to Chinese speakers. The first campaign, Campaign Trio, mimicked popular brands across 2,000 domains, while the second, Campaign Chorus, impersonated over 40 applications, showcasing an evolution in sophistication. These campaigns employed intricate infection chains, leveraging intermediary redirection domains to fetch malicious ZIP archives, highlighting the threat actor's adaptability and resilience.
The researchers suggest that the simultaneous use of old and new infrastructure indicates A/B testing, targeting different victims with varying complexity, or a cost-effective strategy to maximize the impact of their attacks.
And this is the part that raises eyebrows: could this be a state-sponsored operation or a financially motivated group? What are your thoughts on the evolving tactics of threat actors? Share your insights in the comments below!
