Threat Operators Evade Detection Using Double DDL Sideloading

An APT threat operating group called “Dragon Breath,” “Golden Eye Dog,” or “APT-Q-27” is displaying a new trend of various complex versions of the basic DLL sideloading method to avoid detection. The attack variants start with an initial vector that uses a clean application, often Telegram, to sideload a second-stage payload, which sideloads a malicious malware loader DLL. Victims are drawn in by trojanized Telegram, LetsVPN, or WhatsApp apps for Android, iOS, or Windows that have been ostensibly localized for Chinese users. The trojanized apps are thought to have been marketed through BlackSEO or malvertizing. According to cybersecurity analysts who have been following the threat actor’s latest cyberattacks, the campaign’s target scope is Chinese-speaking Windows users in China, Japan, Taiwan, Singapore, Hong Kong, and the Philippines. 

Since 2010, threat operators have used DLL sideloading to take advantage of the vulnerable method Windows loads DLL (Dynamic Link Library) files required by an application. In the application’s directory, the threat operators place a malicious DLL with the same name as the genuine, required DLL. When the executable is launched by users, Windows prefers the local malicious DLL over the one in the system folders. The threat operator’s DDL contains malicious code that loads, granting the threat operators privileges or allowing threat operators to conduct commands on the host by exploiting the trusted, signed application that’s loading it. In the campaign, victims run the installer for the apps, which installs components on the system and creates a desktop shortcut and a system startup entry. If victims try to run the newly created desktop shortcut, which is the expected first step, instead of launching the app, the system executes the following command.

The command executes a renamed version of “regsvr32.exe” (“appR.exe”) and sends a DAT file (“appR.dat”) as input to a renamed version of “scrobj.dll” (“appR.dll”). The DAT includes JavaScript code that will be executed by the script execution engine library (“appR.dll”). In the foreground, the JavaScript runs the Telegram app user interface, while in the background, numerous sideloading components are installed. Following that, the installer launches a second-stage application as an intermediate attack step by leveraging a clean dependency (“libexpat.dll”). One variant of the attack renames the clean application “XLGame.exe” to “Application.exe” and the second-stage loader is a clean executable signed by Beijing Baidu Netcom Science and Technology Co., Ltd. In another variant, the second-stage clean loader is “KingdomTwoCrowns.exe,” which isn’t digitally signed and gives no benefit other than obscuring the execution path. The second-stage loader in a third variant of the attack is the clean executable “d3dim9.exe,” which has been digitally signed by HP Inc. The double DDL sideloading method enables evasion, obfuscation, and persistence, making it more difficult for defenders to adapt to specific attack patterns and effectively protect their networks.

The final payload DLL is decrypted from a txt file (“template.txt”) and executed on the system in all reported attack versions. The payload is a backdoor that supports various commands, including system reboot, registry key modification, retrieving files, clipboard content theft, and command execution on a hidden CMD window. Additionally, the backdoor targets the MetaMask cryptocurrency wallet Chrome extension, with the goal of stealing victims’ digital assets. DDL sideloading remains an effective attack technique for threat operators that Microsoft and developers have failed to fix for over 10 years. Analysts detected DLL sideloading variations that are difficult to track in the current APT-Q-27 attack, resulting in a stealthier infection chain.

With threat operators utilizing various methods, tactics, and techniques, including double DLL sideloading to avoid detection, it’s important for companies to be vigilant of the latest threat landscape and regularly update their applications and software to prevent future cyberattacks. At SpearTip, our gap analysis service allows our engineers to discover blind spots in companies by comparing technology and internal personnel that can lead to significant compromises. We go beyond simple compliance frameworks and examine the day-to-day function of cyber within the organization. This leads to critical recommendations by exposing vulnerabilities not only in software but also in your people and processes. Identifying technical vulnerabilities inside and outside of the organization provides a deeper context to potential gaps in the environment. We analyze the configurations and interactions of your network infrastructure with the expertise of a skilled penetration tester. SpearTip discovers vulnerabilities in firewall systems and enables companies to dedicate their resources to evaluate and prioritize fixes. This will provide visibility of actual network gaps, including existing false negatives. For all uncovered weaknesses, SpearTip provides clear remediation steps to ensure a strengthened security posture.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.