BTC $63106.6694
ETH $3487.9438
BNB $414.1963
SOL $130.3204
XRP $0.6266
ADA $0.7278
DOGE $0.1539
AVAX $42.5755
DOT $9.7892
wstETH $4037.4917
TRX $0.1406
LINK $20.4990
WETH $3499.8168
UNI $12.6173
MATIC $1.0884
WBTC $63001.9284
BCH $469.6209
LTC $90.6161
IMX $3.3186
ICP $13.1704
FIL $10.4844
CAKE $3.3134
ETC $33.5274
LEO $4.7930
RNDR $7.5543
ATOM $12.1588
TON $2.6746
KAS $0.1670
HBAR $0.1129
INJ $40.6985
DAI $0.9987
OKB $58.1613
VET $0.0490
FDUSD $0.9985
WEMIX $2.8142
STX $3.0406
XMR $150.5516
XLM $0.1355
GRT $0.3198
NEAR $4.4292
LDO $3.3186
ARB $2.0442
PEPE $0.0000
THETA $2.3783
TIA $16.3918
ENS $22.1565
CRO $0.1418
BTC $63106.6694
ETH $3487.9438
BNB $414.1963
SOL $130.3204
XRP $0.6266
ADA $0.7278
DOGE $0.1539
AVAX $42.5755
DOT $9.7892
wstETH $4037.4917
TRX $0.1406
LINK $20.4990
WETH $3499.8168
UNI $12.6173
MATIC $1.0884
WBTC $63001.9284
BCH $469.6209
LTC $90.6161
IMX $3.3186
ICP $13.1704
FIL $10.4844
CAKE $3.3134
ETC $33.5274
LEO $4.7930
RNDR $7.5543
ATOM $12.1588
TON $2.6746
KAS $0.1670
HBAR $0.1129
INJ $40.6985
DAI $0.9987
OKB $58.1613
VET $0.0490
FDUSD $0.9985
WEMIX $2.8142
STX $3.0406
XMR $150.5516
XLM $0.1355
GRT $0.3198
NEAR $4.4292
LDO $3.3186
ARB $2.0442
PEPE $0.0000
THETA $2.3783
TIA $16.3918
ENS $22.1565
CRO $0.1418
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Dragon's Breath APT Raises Cyber Attacks Against Chinese-Speaking Windows Users

    "Double DLL Sideloading" helps cyber thugs better avoid detection on targeted networks.

    A group of attackers known as "Dragon Breath", "Golden Eye Dog" or "APT-Q-27" is showing a new trend of using sophisticated variations on the classic malware DLL loading technique to avoid possible detection.

    These attack variants begin with a "clean" application that does not perform malicious functions on its own. Most often, this is the Telegram application, which then downloads the payload of the second stage, also “clean”, therefore not fixed by antivirus tools. And it, in turn, becomes a channel for installing malicious software.

    As mentioned above, trojanized versions of the Telegram app are usually the bait for victims, but researchers have also come across variations of malware hidden in LetsVPN or WhatsApp programs. All of these applications are aimed at Chinese-speaking Windows users, who entice potential victims with the presence of Chinese localization, which the official versions of the above applications do not have. The surge in malicious activity recorded by Sophos analysts occurred in China, Hong Kong, Japan, Taiwan, Singapore and the Philippines.

    DLL Sideloading is a technique used by attackers since 2010. It exploits a highly vulnerable way of loading DLL files on Windows systems. Cybercriminals place a malicious DLL with the same name as a legitimate required DLL into a specific application directory. When a user runs an application executable, the system prioritizes the malicious DLL from the program folder over the one in the Windows system directories.

    A malicious DLL typically contains malicious code that is loaded and grants privileges to execute arbitrary commands on a compromised computer using a trusted signed application as an entry point.

    In the campaign reviewed by Sophos, the victims launch the installer of the Trojanized applications mentioned above, which drops the malicious components into the system. The installer also creates a shortcut on the desktop, and at the same time in the Windows Startup directory.

    If the victim launches the newly created shortcut from the desktop, which is the expected first step after installing the program, instead of simply launching it, a chain of malicious JavaScript commands will be executed on the system, which, however, will display the Telegram interface, but will also install the second step loader in the background.

    As mentioned above, the second stage downloader is also a "blank" file, often even digitally signed by large technology companies, usually trustworthy, such as HP or Baidu. And already this application, through the second introduction of a malicious DLL library, leads to the download and installation of a full-fledged backdoor into the target system, enabling attackers to perform any actions on a compromised computer.

    "Dual DLL Sideloading" provides evasion, obfuscation, and system persistence, making it difficult for defenders to adapt to specific attack patterns and effectively protect their networks.

    In summary, DLL Sideloading has been an effective method of malicious hacking for more than a decade, and when combined with sophisticated evasion techniques used by cybercriminals, this threat becomes even more dangerous.

    Author DeepWeb
    Chinese cybercriminals Earth Longzhi use new method to deactivate security systems on target computers
    A new threat to financial institutions has emerged on the dark web

    Comments 0

    Add comment