BTC $55865.7639
ETH $3222.4858
BNB $400.6682
SOL $110.6842
XRP $0.5548
ADA $0.6230
AVAX $39.2767
DOGE $0.0896
TRX $0.1404
wstETH $3751.1765
LINK $19.0474
DOT $8.0594
WETH $3236.9354
MATIC $1.0625
UNI $10.5983
WBTC $55965.3668
IMX $3.3901
ICP $13.0143
BCH $300.6764
LTC $74.8911
CAKE $3.2355
FIL $8.1517
ETC $28.1561
RNDR $7.4096
KAS $0.1718
DAI $0.9979
HBAR $0.1117
ATOM $11.3293
VET $0.0491
INJ $36.5642
TON $2.1072
OKB $51.3395
LDO $3.5443
FDUSD $1.0015
STX $3.0723
ARB $1.9162
NEAR $4.0168
XMR $131.7677
TIA $17.0755
XLM $0.1186
GRT $0.2823
ENS $22.2643
THETA $2.1117
MKR $2155.4331
WEMIX $2.1023
APEX $2.4575
BEAM $0.0357
BTC $55865.7639
ETH $3222.4858
BNB $400.6682
SOL $110.6842
XRP $0.5548
ADA $0.6230
AVAX $39.2767
DOGE $0.0896
TRX $0.1404
wstETH $3751.1765
LINK $19.0474
DOT $8.0594
WETH $3236.9354
MATIC $1.0625
UNI $10.5983
WBTC $55965.3668
IMX $3.3901
ICP $13.0143
BCH $300.6764
LTC $74.8911
CAKE $3.2355
FIL $8.1517
ETC $28.1561
RNDR $7.4096
KAS $0.1718
DAI $0.9979
HBAR $0.1117
ATOM $11.3293
VET $0.0491
INJ $36.5642
TON $2.1072
OKB $51.3395
LDO $3.5443
FDUSD $1.0015
STX $3.0723
ARB $1.9162
NEAR $4.0168
XMR $131.7677
TIA $17.0755
XLM $0.1186
GRT $0.2823
ENS $22.2643
THETA $2.1117
MKR $2155.4331
WEMIX $2.1023
APEX $2.4575
BEAM $0.0357
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Dragon's Breath APT Raises Cyber Attacks Against Chinese-Speaking Windows Users

    "Double DLL Sideloading" helps cyber thugs better avoid detection on targeted networks.

    A group of attackers known as "Dragon Breath", "Golden Eye Dog" or "APT-Q-27" is showing a new trend of using sophisticated variations on the classic malware DLL loading technique to avoid possible detection.

    These attack variants begin with a "clean" application that does not perform malicious functions on its own. Most often, this is the Telegram application, which then downloads the payload of the second stage, also “clean”, therefore not fixed by antivirus tools. And it, in turn, becomes a channel for installing malicious software.

    As mentioned above, trojanized versions of the Telegram app are usually the bait for victims, but researchers have also come across variations of malware hidden in LetsVPN or WhatsApp programs. All of these applications are aimed at Chinese-speaking Windows users, who entice potential victims with the presence of Chinese localization, which the official versions of the above applications do not have. The surge in malicious activity recorded by Sophos analysts occurred in China, Hong Kong, Japan, Taiwan, Singapore and the Philippines.

    DLL Sideloading is a technique used by attackers since 2010. It exploits a highly vulnerable way of loading DLL files on Windows systems. Cybercriminals place a malicious DLL with the same name as a legitimate required DLL into a specific application directory. When a user runs an application executable, the system prioritizes the malicious DLL from the program folder over the one in the Windows system directories.

    A malicious DLL typically contains malicious code that is loaded and grants privileges to execute arbitrary commands on a compromised computer using a trusted signed application as an entry point.

    In the campaign reviewed by Sophos, the victims launch the installer of the Trojanized applications mentioned above, which drops the malicious components into the system. The installer also creates a shortcut on the desktop, and at the same time in the Windows Startup directory.

    If the victim launches the newly created shortcut from the desktop, which is the expected first step after installing the program, instead of simply launching it, a chain of malicious JavaScript commands will be executed on the system, which, however, will display the Telegram interface, but will also install the second step loader in the background.

    As mentioned above, the second stage downloader is also a "blank" file, often even digitally signed by large technology companies, usually trustworthy, such as HP or Baidu. And already this application, through the second introduction of a malicious DLL library, leads to the download and installation of a full-fledged backdoor into the target system, enabling attackers to perform any actions on a compromised computer.

    "Dual DLL Sideloading" provides evasion, obfuscation, and system persistence, making it difficult for defenders to adapt to specific attack patterns and effectively protect their networks.

    In summary, DLL Sideloading has been an effective method of malicious hacking for more than a decade, and when combined with sophisticated evasion techniques used by cybercriminals, this threat becomes even more dangerous.

    Author DeepWeb
    Chinese cybercriminals Earth Longzhi use new method to deactivate security systems on target computers
    A new threat to financial institutions has emerged on the dark web

    Comments 0

    Add comment