Double-Clean-App Technique

Dragon Breath APT Group Using Double-Clean-App Technique to Target Gambling Industry

@ducklah 8 May 2023

Threat Actor

Dragon Breath A.K.A :APT-Q-27
Golden Eye Dog

Description

Background: An advanced persistent threat (APT) actor known as Dragon Breath has been observed adding new layers of complexity to its attacks by adopting a novel DLL side-loading mechanism.

The attack is based on a classic side-loading attack, consisting of a clean application, a malicious loader, and an encrypted payload, with various modifications made to these components over time

Target

countries such as China, Japan, Taiwan, Singapore, Hong Kong, and the Philippines.
Gambling

The Attack

The initial vector is a fake website hosting an installer for Telegram that, when opened, creates a desktop shortcut that's designed to load malicious components behind the scenes upon launch, while also displaying to the victim the Telegram app user interface.

The next stage involves the use of a second clean application as an intermediate to avoid detection and load the final payload via a malicious DLL.

The payload functions as a backdoor capable of downloading and executing files, clearing event logs, extracting and setting clipboard content, running arbitrary commands, and stealing cryptocurrency from the MetaMask wallet extension for Google Chrome.

In the second stage of the attack, whichever clean second-stage loader was employed called a particular DLL, which the attackers had placed in the same directory, using the classic DLL sideloading method.
This DLL was a malicious version with the same name as the legitimate one. It then proceeded to load the payload from the file "template.txt" and decrypted it.
The encryption utilized for the payload was a simple combination of bytewise SUB and XOR. The decrypted content consisted of a loader shellcode, which decompressed and executed the final payload. The execution log of the process indicates the decompression of the final payload.
Subsequently, the shellcode loaded the final payload DLL into memory and executed it, completing the attack.

IOC

3ec706ccc848ba999f2be30fce6ac9e2

6bd09914b8e084f72e95a079c2265b77

b8da59d15775d19cc1f33f985c22e4cb

508299cdef7a55e8dbbbc17fbc8d6591

241426a9686ebcb82bf8344511b8a4ca

2269f8f79975b2e924efba680e558046

156.245.12.43:6688

154.39.254.183:1446

156.255.211.27:1445

209.209.49.241:5780

45.207.36.24:6688

118.107.47.123:6688

http://nsjdhmdjs.com

http://telegarmzh.com

http://downtele.xyz

Reference

https://thehackernews.com/2023/05/dragon-breath-apt-group-using-double.html https://cyware.com/news/dragon-breath-apt-uses-double-dll-sideloading-tactic-aab66767 https://ti.qianxin.com/blog/articles/operation-dragon-breath-(apt-q-27)-dimensionality-reduction-blow-to-the-gambling-industry/ https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/

PreviousWordPress Bug Exposes NextAPT28 Targets Ukrainian Government

Last updated 10 months ago