BleepingComputer reports that new attacks by advanced persistent threat operation Dragon Breath, also known as APT-Q-27 and Golden Eye Dog, involving different variations of double DLL sideloading have been targeted at Chinese-speaking Windows users in China, Taiwan, Hong Kong, Japan, Singapore, and the Philippines.
Trojanized Telegram, WhatsApp, and LetsVPN apps have been leveraged by Dragon Breath to facilitate the sideloading of a second-stage payload, which in turn facilitates malicious malware loader DLL sideloading, according to a report from Sophos.
Executing the app installers would prompt the deployment of components and a desktop shortcut, which when clicked would execute a command that would run "appR.exe" to facilitate "appR.dlll" execution before the loading of a second-stage app with a clean dependency.
Three different double DLL sideloading techniques were observed to be employed by Dragon Breath in a bid to evade detection, all of which result in the decryption of the final payload DLL with extensive command support and the capability to exfiltrate MetaMask cryptocurrency assets from its Google Chrome extension.
Cybercrime operation Gold Melody, also known as UNC961 and Prophet Spider, has been discovered by SecureWorks Counter Threat Unit researchers to be an initial access broker peddling compromised network access for further attacks, according to The Hacker News.