Threat Management, Application security

Double DLL sideloading performed by APT operation

BleepingComputer reports that new attacks by advanced persistent threat operation Dragon Breath, also known as APT-Q-27 and Golden Eye Dog, involving different variations of double DLL sideloading have been targeted at Chinese-speaking Windows users in China, Taiwan, Hong Kong, Japan, Singapore, and the Philippines. Trojanized Telegram, WhatsApp, and LetsVPN apps have been leveraged by Dragon Breath to facilitate the sideloading of a second-stage payload, which in turn facilitates malicious malware loader DLL sideloading, according to a report from Sophos. Executing the app installers would prompt the deployment of components and a desktop shortcut, which when clicked would execute a command that would run "appR.exe" to facilitate "appR.dlll" execution before the loading of a second-stage app with a clean dependency. Three different double DLL sideloading techniques were observed to be employed by Dragon Breath in a bid to evade detection, all of which result in the decryption of the final payload DLL with extensive command support and the capability to exfiltrate MetaMask cryptocurrency assets from its Google Chrome extension.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.