Threat Management, Application security
Double DLL sideloading performed by APT operation
BleepingComputer reports that new attacks by advanced persistent threat operation Dragon Breath, also known as APT-Q-27 and Golden Eye Dog, involving different variations of double DLL sideloading have been targeted at Chinese-speaking Windows users in China, Taiwan, Hong Kong, Japan, Singapore, and the Philippines.
Trojanized Telegram, WhatsApp, and LetsVPN apps have been leveraged by Dragon Breath to facilitate the sideloading of a second-stage payload, which in turn facilitates malicious malware loader DLL sideloading, according to a report from Sophos.
Executing the app installers would prompt the deployment of components and a desktop shortcut, which when clicked would execute a command that would run "appR.exe" to facilitate "appR.dlll" execution before the loading of a second-stage app with a clean dependency.
Three different double DLL sideloading techniques were observed to be employed by Dragon Breath in a bid to evade detection, all of which result in the decryption of the final payload DLL with extensive command support and the capability to exfiltrate MetaMask cryptocurrency assets from its Google Chrome extension.
An In-Depth Guide to Application Security
Get essential knowledge and practical strategies to fortify your applications.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds