Security News > 2023 > May > Dragon Breath APT Group Using Double-Clean-App Technique to Target Gambling Industry

An advanced persistent threat actor known as Dragon Breath has been observed adding new layers of complexity to its attacks by adopting a novel DLL side-loading mechanism.

"The attack is based on a classic side-loading attack, consisting of a clean application, a malicious loader, and an encrypted payload, with various modifications made to these components over time," Sophos researcher Gabor Szappanos said.

"The latest campaigns add a twist in which a first-stage clean application 'side'-loads a second clean application and auto-executes it. The second clean application side-loads the malicious loader DLL. After that, the malicious loader DLL executes the final payload.".

Operation Dragon Breath, also tracked under the names APT-Q-27 and Golden Eye, was first documented by QiAnXin in 2020, detailing a watering hole campaign designed to trick users into downloading a trojanized Windows installer for Telegram.

A subsequent campaign detailed by the Chinese cybersecurity company in May 2022 highlighted the continued use of Telegram installers as a lure to deploy additional payloads such as gh0st RAT. Dragon Breath is also said to be part of a larger entity called Miuuti Group, with the adversary characterized as a "Chinese-speaking" entity targeting the online gaming and gambling industries, joining the likes of other Chinese activity clusters like Dragon Castling, Dragon Dance, and Earth Berberoka.

"This double-clean-app technique employed by the Dragon Breath group, targeting a user sector that has traditionally been less scrutinized by security researchers, represents the continued vitality of this approach."

News URL

https://thehackernews.com/2023/05/dragon-breath-apt-group-using-double.html