Threat Research

When PUPs Grow Fangs: Dragon Boss Solutions’ $10 Supply Chain Risk

Huntress
When PUPs Grow Fangs: Dragon Boss Solutions’ Supply Chain Risk
The Dragon Boss Solutions updater (signed RaceCarTwo.exe) silently delivers a PowerShell-based AV killer (ClockRemoval.ps1) that establishes WMI and scheduled-task persistence, disables security products, blocks vendor update domains, and adds Defender exclusions to protect follow-on payloads. Huntress registered the unclaimed update domain chromsterabrowser[.]com, sinkholed traffic, and observed 23,565 unique infected hosts attempting to download updates, demonstrating the update mechanism could be abused as a supply-chain vector. #ClockRemoval #DragonBossSolutions

Keypoints

  • Signed Dragon Boss Solutions updater (RaceCarTwo.exe) uses Advanced Installer configuration to silently poll configured update URLs and install MSI payloads without user interaction.
  • The delivered MSI unpacks a PowerShell AV-killer (ClockRemoval.ps1) that kills AV processes, disables services via the registry, runs uninstallers, deletes files, and performs repeated removal sweeps.
  • Persistence is achieved via WMI event subscriptions and multiple SYSTEM-level scheduled tasks that re-establish protections and perform tight polling to kill AV processes at boot and periodically.
  • The payload modifies hosts files to block AV vendor update domains and adds Windows Defender exclusions for staging directories to prevent detection of follow-on payloads.
  • The update configuration baked in an unregistered primary domain (e.g., chromsterabrowser[.]com), meaning anyone registering it could push arbitrary payloads to all affected hosts; Huntress registered and sinkholed it, observing tens of thousands of callbacks.
  • Modified, signed Chrome binaries were observed with the flag –simulate-outdated-no-au to disable Chrome auto-updates, demonstrating efforts to maintain persistence and victim exposure.
  • Over a 24-hour period, 23,565 unique IPs from 124 countries contacted the sinkhole, including 324 hosts in high-value networks (universities, OT, government, healthcare, and Fortune 500 companies).

MITRE Techniques

  • [T1546.010 ] Windows Management Instrumentation – WMI event subscriptions were created and maintained for persistence and to execute removal/killing logic; (‘For WMI persistence, the script establishes event subscriptions via Initialize-MbSetupWmiKill.’)
  • [T1053.005 ] Scheduled Task/Job – Multiple SYSTEM-level scheduled tasks were created to run boot, startup, logon, and recurring removal passes; (‘The script creates five scheduled tasks running as SYSTEM’)
  • [T1059.001 ] PowerShell – PowerShell is used to set execution policy, run ClockRemoval.ps1, and perform reconnaissance and removal actions; (‘Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser -Force’ and ‘Runs ClockRemoval.ps1 via PowerShellScriptLauncher.dll’)
  • [T1218 ] Signed Binary Proxy Execution – Signed updater/installer (RaceCarTwo.exe) and use of msiexec to deploy MSI payloads leverages legitimate signed binaries to execute malicious payloads; (‘it’s running out of msiexec and running a script called ClockRemoval.ps1.’)
  • [T1562.001 ] Disable or Modify Security Tools – The payload kills AV processes, disables services via registry edits, and blocks vendor update domains to prevent reinstallation or updates; (‘The script maintains an explicit kill list targeting specific security vendors’ and ‘The Invoke-MbRemovalAvHostsBlock function writes these domains to the host’s file, redirecting them to 0.0.0.0.’)
  • [T1112 ] Modify Registry – Registry manipulation is used to disable AV services and remove Run keys to stop security products from launching at startup; (‘Do-DisableServicesRegistryOnly disables AV services via registry manipulation and strips all AV-related Run keys’)

Indicators of Compromise

  • [SHA256 Hash ] Initial loader, MSI and script payloads – 909539d3ef8dedc3be56381256713fa5545cc7fd3d3d0e0428f7efb94a7e71cb (Initial Loader/Updater), 40ac30ce1e88c47f317700cc4b5aa0a510f98c89e11c32265971564930418372 (Setup.msi), and 4 more hashes listed in the report.
  • [Domain ] Update and payload hosting – chromsterabrowser[.]com (primary update URL, sinkholed), dl.isready26[.]online (payload hosting referenced as ldk4945jfds.gif), and 7 more C2/update domains documented.
  • [IP addresses ] Sinkhole connections – 23,565 unique IP addresses contacted the registered update domain over 24 hours; 324 of these were mapped to high-value target networks.
  • [File paths ] Installation and payload locations – %SystemRoot%System32configsystemprofileAppDataLocalWMILoadClockRemoval.ps1 (payload location), C:Program Files (x86)RaceCarTwoolutionsRaceCarTwoupdatesUpdate (update staging), plus many similar install directories.
  • [Scheduled tasks ] Persistence task names – ClockSetupWmiAtBoot, RemoveClockPeriodic (recurring 30-minute task) used to ensure WMI subscriptions and periodic removal activity.
  • [WMI artifacts ] Event consumers/subscriptions – MbRemovalMbSetupKillConsumer and MbRemovalMbSetupKillConsumerTrace created as event consumers for WMI-based execution and monitoring.
  • [Code signing ] Certificate subject – Dragon Boss Solutions LLC used as the code-signing subject on the updater and on modified Chrome binaries.

Read more: https://www.huntress.com/blog/pups-grow-fangs