Cyber Security Threat Summary:
A group of hackers, also known as Dragon Breath, Golden Eye Dog, or APT-Q-27, is utilizing multiple sophisticated versions of the traditional DLL sideloading technique to avoid detection. These attack variations start with an initial approach that uses legitimate applications, such as Telegram, to sideload a second-stage payload, which may also be legitimate, and in turn, loads a malicious malware loader DLL.

“The attacker places a malicious DLL with the same name as the legitimate, required DLL in an application's directory. When the user launches the executable, Windows prioritizes the local malicious DLL over the one in the system folders. The attacker's DLL contains malicious code that loads at this stage, giving the attacker privileges or running commands on the host by exploiting the trusted, signed application that is loading it. In this campaign, the victims execute the installer of the mentioned apps, which drops components on the system and creates a desktop shortcut and a system startup entry. If the victim attempts to launch the newly created desktop shortcut, which is the expected first step, instead of launching the app, the following command is executed on the system. The command runs a renamed version of 'regsvr32[.]exe' ('appR[.]exe') to execute a renamed version of 'scrobj[.]dll' ('appR[.]dll') and supplies a DAT file ('appR[.]dat') as input to it. The DAT contains JavaScript code for execution by the script execution engine library ('appR[.]dll'). The JavaScript code launches the Telegram app user interface in the foreground while installing various sideloading components in the background.” (Bleeping Computer, 2023)

Following the initial stage, the installer loads a second-stage application using a legitimate dependency (libexpat[.]dll) as an intermediate stage. The attack has three variations, including renaming "XLGame[.]exe" to "Application[.]exe" and using a clean executable signed by Beijing Baidu Netcom Science and Technology Co., Ltd. Another, variation uses an unsigned clean loader called "KingdomTwoCrowns[.]exe" and the third variation uses a digitally signed executable dubbed "d3dim9[.]exe by HP Inc. These variations enable evasion, obfuscation, and persistence, making it challenging for defender to identify attack patterns.

Security Officer Comments:
Victims are enticed with Trojanized versions of Telegram, LetsVPPN, or WhatsApp applications for Android, iOS, or Windows, which are allegedly tailored for Chinese users. These malicious versions of the apps are suspected to be promoted using BlackSEO or malvertising techniques. Sophos analysts who monitored the recent attacks by this threat group found that they are primarily targeting Windows users who speak Chinese in countries such as China, Japan, Taiwan, Singapore, and the Phillippines.

Furthermore, the attack variations all use the txt file (templateX[.]txt) to decrypt the final payload DLL, which is executed on the system. The payload is a backdoor that allows attackers to perform various commands, including stealing clipboard content and targeting the MetaMask cryptocurrency wallet Chrome extension. Despite DLL sideloading being an effective attack method, it remains unaddressed by Microsoft and developers for over a decade. The latest APT-Q-27 attack includes DLL sideloading variations that are difficult to track and achieves a stealthier infection chain.

Suggested Corrections:
Analysts at Sophos have published IOC’s that can be used to detect APT-Q-27: https://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/

Source:ne...ng-double-dll-sideloading-to-evade-detection/