The cyber threat actor known as Dragon Breath is actively using a multi-stage loader, dubbed RONINGLOADER, to deliver a customized version of the Gh0st RAT (Remote Access Trojan). This campaign primarily targets Chinese-speaking users through deceptive means, specifically employing trojanized NSIS installers that masquerade as legitimate applications like Google Chrome and Microsoft Teams, according to findings from Elastic Security Labs.
This infection chain is notable for its intricate, multi-stage delivery mechanism, which incorporates several redundant and advanced evasion techniques. These methods are specifically engineered to neutralize endpoint security products favored within the Chinese market. Security researchers Jia Yu Chan and Salim Bitam highlighted that these techniques include leveraging a legitimately signed driver, deploying custom WDAC policies (Windows Defender Application Control), and manipulating the Microsoft Defender binary through PPL (Protected Process Light) abuse. Dragon Breath, which is also tracked as APT-Q-27 and Golden Eye, has been active since at least 2020 and is linked to the larger Chinese-speaking Miuuti Group, which is known for attacks against the online gaming and gambling sectors.
In the most recent campaign detailed by Elastic Security Labs, the malicious NSIS installers act as a primary launchpad for two further embedded NSIS installers. One of these, “letsvpnlatest.exe,” is benign and installs the expected legitimate software. However, the second NSIS binary, “Snieoatwtregoable.exe,” is responsible for covertly initiating the full attack chain. This process involves dropping a DLL and an encrypted file (“tp.png”). The DLL’s function is to read the contents of the file masquerading as a PNG image, extracting a shellcode designed to execute another binary directly in memory.
The RONINGLOADER component performs several anti-detection maneuvers. It attempts to remove any userland hooks by loading a fresh copy of “ntdll.dll,” tries to elevate its privileges using the runas command, and scans running processes for a hard-coded list of antivirus solutions, including Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. If security processes are identified, the malware proceeds to terminate them. For Qihoo 360 processes specifically, the loader takes a more complex path: it blocks all network communication by altering the firewall, injects shellcode into the Volume Shadow Copy (VSS) service process (“vssvc.exe”) using the PoolParty technique after granting itself the SeDebugPrivilege token, and ultimately uses a signed driver named “ollama.sys” to terminate the processes via a temporary service called “xererre1,” before restoring the firewall. For other security software, the driver is deployed directly to perform termination.
Once security defenses are neutralized, RONINGLOADER runs batch scripts to bypass User Account Control (UAC) and create firewall rules that block connections associated with Qihoo 360 software. The malware also leverages PPL and the Windows Error Reporting system (“WerFaultSecure.exe”), an approach known as EDR-Freeze, to disable Microsoft Defender Antivirus. Further adding to its evasion capability, it targets WDAC by writing a malicious policy that explicitly blocks security products from Chinese vendors Qihoo 360 Total Security and Huorong Security. The ultimate objective of the loader is to inject a rogue DLL into the legitimate Windows process “regsvr32.exe” to conceal its operations and subsequently launch the next-stage payload—a modified Gh0st RAT—into a high-privilege system process like “TrustedInstaller.exe” or “elevation_service.exe.”
Reference:
