Dragon Breath Group Intensifies Cyber Attacks on Kitayy-Speaking Windows Users

A group of attackers known by various names, such as “Dragon Breath”, “Golden Eye Dog”, and “Apt-Q-27” have adopted a new strategy to evade detection by using complex variations of classical malware DLL-bibliotek. This new strategy involves using a “pure” application that does not perform any harmful functions initially. Typically, the bait for victims is a trojanized version of the Telegram application which downloads a useful payload at the second stage. Moreover, these attackers also use variations of malicious software hidden in LETSVPN or WhatsApp programs aimed at Windows Chinese language users.

The researchers found that these applications were not fixed with antivirus agents and are aimed at users who do not have official versions of the above applications, attracting potential victims by the presence of Chinese localization. Sophos analysts have noted a spike in harmful activity in countries, including China, Hong Kong, Japan, Taiwan, Singapore, and the Philippines.

Attackers have been using Dll Sideloading method since 2010 that takes advantage of a vulnerable method of loading DLL files in Windows systems. Cybercriminals place harmful DLL biblioteum with the same name as the legitimate required DLL in the catalog of a particular application. When the user starts the executable application file, the system gives priority to the malicious DLL of the program instead of the one in the Windows system catalogs.

The DLL of the attackers contains a malicious code that loads and provides privileges to perform arbitrary commands on a compromised computer, using a trusted signed application as an entrance point. The victims are launched by the installer of trojanized applications which dumps the malicious components into the system. The installer also creates a shortcut on the desktop and in the Windows directory “Automobile”. If the victim launches the newly created shortcut from the desktop, a malicious JavaScript code will be completed, which shows the Telegram interface but installs the second stage loader in the background.

The loader of the second stage is a “clean” file and often has a digital signature of well-known technological companies that usually inspire confidence, such as HP or BAIDU. The second application, through the second stage, leads to the download and installation of a full-fledged backdoor in the target system through the introduction of a malicious DLL biblioteum. Thus, allowing attackers to perform any actions on a compromised computer.

Overall, this new strategy adopted by the attackers aims to avoid detection by making it more difficult for antivirus agents to identify them. As such, it is crucial to remain vigilant and avoid downloading applications from unverified sources to protect yourself from these kinds of attacks.

/Reports, release notes, official announcements.