APT hacking group uses double DLL sideloading to bypass security

by | May 4, 2023 | News

Premium Content

Patreon
Subscribe to Patreon to watch this episode.
Reading Time: 3 Minutes

Using Complex Variations of DLL Sideloading to Evade Detection

An APT hacking group, known as “Dragon Breath,” “Golden Eye Dog,” or “APT-Q-27,” is demonstrating a new trend of using complex variations of the classic DLL sideloading technique to evade detection. According to Sophos analysts who followed the recent attacks of this group, the targeting scope of this campaign is focused on Chinese-speaking Windows users in China, Japan, Taiwan, Singapore, Hong Kong, and the Philippines.

The campaign leverages a clean application, most often Telegram, that sideloads a second-stage payload, sometimes also clean, which in turn, sideloads a malicious malware loader DLL.

The group has been able to achieve evasion, obfuscation, and persistence using the “double DLL sideloading” technique, which is making it harder for defenders to adjust to specific attack patterns and effectively shield their networks.

General attack diagramGeneral attack diagram (Sophos)

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

Double DLL sideloading technique

DLL sideloading is a technique that attackers have been exploiting since 2010 by taking advantage of the insecure way Windows loads DLL (Dynamic Link Library) files required by an application. The attacker places a malicious DLL with the same name as the legitimate, required DLL in an application’s directory. When the user launches the executable, Windows prioritizes the local malicious DLL over the one in the system folders. The attacker’s DLL contains malicious code that loads at this stage, giving the attacker privileges or running commands on the host by exploiting the trusted, signed application that is loading it.

The group’s attack begins when the victims execute the installer of the mentioned apps, which drops components on the system and creates a desktop shortcut and a system startup entry. If the victim attempts to launch the newly created desktop shortcut, instead of launching the app, a command is executed on the system that runs a renamed version of ‘regsvr32.exe’ (‘appR.exe’) to execute a renamed version of ‘scrobj.dll’ (‘appR.dll’) and supplies a DAT file (‘appR.dat’) as input to it. The DAT contains JavaScript code for execution by the script execution engine library (‘appR.dll’).
The JavaScript code launches the Telegram app user interface in the foreground while installing various sideloading components in the background.

Command executed on the breached systemCommand executed on the breached system (Sophos)

 

In all observed attack variations, the final payload DLL is decrypted from a txt file (‘templateX.txt’) and executed on the system. This payload is a backdoor that supports several commands.

First attack variant diagramFirst attack variant diagram (Sophos)

Executable signed by HP Executable signed by HP – Third Variation of the attack (Sophos)

The group has trojanized Telegram, LetsVPN, or WhatsApp apps for Android, iOS, or Windows that have been supposedly localized for people in China. The trojanized apps are believed to be promoted using BlackSEO or malvertizing.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This