Specially locked Chinese Windows users!The APT Hacker Organization Using Double DLL Sideloading Attacks

Until now, the traditional side-loading DLL library (DLL Sideloading) technology has been one of the methods used by hackers to launch effective attacks, and it is also a thorny problem that Microsoft and many developers have not been able to solve for more than ten years. Today, the APT advanced persistent threat hacker group named “Dragon Breath” (also known as APT-Q-27 and Golden Eye Dog) is targeting Chinese Windows users in China, Taiwan, Hong Kong, Japan, Singapore and the Philippines. In the brand-new attack of , it even adopted different variants of double DLL sideloading malicious program library (Double DLL Sideloading), which successfully achieved a more concealed infection chain, making it more difficult for the security protection mechanism to track.

The new dual sideloading malicious library method used by “Dragon Breath” will be divided into two stages for malicious sideloading. According to a Sophos report, the APT hacker group specifically uses Trojanized applications such as Telegram, WhatsApp, or LetsVPN to initiate the download of the second-stage malicious payload, which in turn will again sideload the malware-laden download malicious DLL library for the browser.

Once the user executes the installation program of the App, it will lead to the implantation of malicious components and the deployment of desktop shortcuts. If the user clicks on the shortcut again, a certain command will be executed automatically. The command will execute “appR.exe”, and then Execute “appR.Dll” before loading the second-stage application.

The scary thing is that the Dragon Breath hacker group has adopted three different double malware library sideloading techniques to evade security detection, all of which will lead to the decryption of the final load DLL that supports a large number of commands, and hackers can steal MetaMask in Google Chrome Digital Assets in the Cryptocurrency Wallet extension.

