An APT threat operating group called “Dragon Breath,” “Golden Eye Dog,” or “APT-Q-27” is displaying a new trend of various complex versions of the basic DLL sideloading method to avoid detection. The attack variants start with an initial vector that uses a clean application, often Telegram, to sideload a second-stage payload, which sideloads a malicious malware loader DLL. Victims are drawn in by trojanized Telegram, LetsVPN, or WhatsApp apps for Android, iOS, or Windows that have been ostensibly localized for Chinese users. The trojanized apps are thought to have been marketed through BlackSEO or malvertizing. According to cybersecurity analysts who have been following the threat actor’s latest cyberattacks, the campaign’s target scope is Chinese-speaking Windows users in China, Japan, Taiwan, Singapore, Hong Kong, and the Philippines.
Since 2010, threat operators have used DLL sideloading to take advantage of the vulnerable method Windows loads DLL (Dynamic Link Library) files required by an application. In the application’s directory, the threat operators place a malicious DLL with the same name as the genuine, required DLL. When the executable is launched by users, Windows prefers the local malicious DLL over the one in the system folders. The threat operator’s DDL contains malicious code that loads, granting the threat operators privileges or allowing threat operators to conduct commands on the host by exploiting the trusted, signed application that’s loading it. In the campaign, victims run the installer for the apps, which installs components on the system and creates a desktop shortcut and a system startup entry. If victims try to run the newly created desktop shortcut, which is the expected first step, instead of launching the app, the system executes the following command.
The final payload DLL is decrypted from a txt file (“template.txt”) and executed on the system in all reported attack versions. The payload is a backdoor that supports various commands, including system reboot, registry key modification, retrieving files, clipboard content theft, and command execution on a hidden CMD window. Additionally, the backdoor targets the MetaMask cryptocurrency wallet Chrome extension, with the goal of stealing victims’ digital assets. DDL sideloading remains an effective attack technique for threat operators that Microsoft and developers have failed to fix for over 10 years. Analysts detected DLL sideloading variations that are difficult to track in the current APT-Q-27 attack, resulting in a stealthier infection chain.
With threat operators utilizing various methods, tactics, and techniques, including double DLL sideloading to avoid detection, it’s important for companies to be vigilant of the latest threat landscape and regularly update their applications and software to prevent future cyberattacks. At SpearTip, our gap analysis service allows our engineers to discover blind spots in companies by comparing technology and internal personnel that can lead to significant compromises. We go beyond simple compliance frameworks and examine the day-to-day function of cyber within the organization. This leads to critical recommendations by exposing vulnerabilities not only in software but also in your people and processes. Identifying technical vulnerabilities inside and outside of the organization provides a deeper context to potential gaps in the environment. We analyze the configurations and interactions of your network infrastructure with the expertise of a skilled penetration tester. SpearTip discovers vulnerabilities in firewall systems and enables companies to dedicate their resources to evaluate and prioritize fixes. This will provide visibility of actual network gaps, including existing false negatives. For all uncovered weaknesses, SpearTip provides clear remediation steps to ensure a strengthened security posture.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.