Dragon Breath APT Group Using Double-Clean-App Technique to Target Gambling Industry

Dragon Breath APT Group Using Double-Clean-App Technique to Target Gambling Industry

An advanced persistent threat (APT) actor known as Dragon Breath has been observed adding new layers of complexity to its attacks by adopting a novel DLL side-loading mechanism.

“The attack is based on a classic side-loading attack, consisting of a clean application, a malicious loader, and an encrypted payload, with various modifications made to these components over time,” Sophos researcher Gabor Szappanos said.

Operation Dragon Breath, also tracked under the names APT-Q-27 and Golden Eye, was first documented by QiAnXin in 2020, detailing a watering hole campaign designed to trick users into downloading a trojanized Windows installer for Telegram.

Dragon Breath is also said to be part of a larger entity called Miuuti Group, with the adversary characterized as a “Chinese-speaking” entity targeting the online gaming and gambling industries, joining the likes of other Chinese activity clusters like Dragon CastlingDragon Dance, and Earth Berberoka.

Double-Clean-App Technique

The double-dip DLL side-loading strategy, per Sophos, has been leveraged in attacks targeting users in the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China. These attempted intrusions were ultimately unsuccessful.

The initial vector is a fake website hosting an installer for Telegram that, when opened, creates a desktop shortcut that’s designed to load malicious components behind the scenes upon launch, while also displaying to the victim the Telegram app user interface.

The next stage involves the use of a second clean application as an intermediate to avoid detection and load the final payload via a malicious DLL.

The payload functions as a backdoor capable of downloading and executing files, clearing event logs, extracting and setting clipboard content, running arbitrary commands, and stealing cryptocurrency from the MetaMask wallet extension for Google Chrome.


Source: https://thehackernews.com/