""The infection chain employs a multi-stage delivery mechanism that leverages various evasion techniques, with many redundancies aimed at neutralising endpoint security products popular in the Chinese market," security researchers Jia Yu Chan and Salim Bitam said. "These include bringing a legitimately signed driver, deploying custom WDAC policies, and tampering with the Microsoft Defender binary through PPL [Protected Process Light] abuse.""
"In the latest campaign documented by Elastic Security Labs, the malicious NSIS installers for trusted applications act as a launchpad for two more embedded NSIS installers, one of which ("letsvpnlatest.exe") is benign and installs the legitimate software. The second NSIS binary ("Snieoatwtregoable.exe") is responsible for stealthily triggering the attack chain. This involves delivering a DLL and an encrypted file ("tp.png"), with the former used to read the contents of the supposed PNG image and extract shellcode designed to launch another binary in memory."
Dragon Breath (also tracked as APT-Q-27 and Golden Eye) has used a multi-stage loader named RONINGLOADER to deliver a modified Gh0st RAT to Chinese-speaking users. The campaign employs trojanized NSIS installers masquerading as legitimate applications such as Google Chrome and Microsoft Teams. The malicious installer drops two embedded NSIS binaries: letsvpnlatest.exe, which installs legitimate software, and Snieoatwtregoable.exe, which triggers the attack chain. The attack delivers a DLL and an encrypted tp.png; the DLL reads the PNG, extracts shellcode, and launches another binary in memory. RONINGLOADER leverages evasion techniques including a legitimately signed driver, custom WDAC policies, and abuse of Microsoft Defender PPL. The group has been active since at least 2020 and is linked to the Miuuti Group targeting online gaming and gambling sectors.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]