A doubled “Dragon Breath” adds new air to DLL sideloading attacks

MITRE Techniques

• [T1574.001] DLL search order hijacking – The malicious loader DLL loads the payload by abusing a sideloading flow where a legitimate app loads a malicious DLL. ‘The malicious loader DLL finds templateX.txt in the same directory, loads the content, decrypts the payload loader shellcode, and executes it.’
• [T1218.011] Regsvr32 – The first-stage chain uses a renamed regsvr32-based execution path to run an alternate DLL; ‘It will execute the appR.dll library, which is another renamed Windows component, scrobj.dll — the script execution engine.’
• [T1059.007] JavaScript – The attacker uses JavaScript executed via a Windows shortcut to display the Telegram UI while dropping sideloading components; ‘When the shortcut is executed, the JavaScript code runs.’
• [T1547.001] Boot or Logon Autostart Execution – Persistence is achieved by creating a startup shortcut so the malware runs on startup; ‘The installer also creates a shortcut on the desktop… establishes persistence and allows for automatic execution after system startup.’
• [T1036] Masquerading – The attackers rename legitimate components to masquerade as legitimate software; ‘The second-stage clean loader is renamed once again to XLGameUpdate.exe, but its original (real) name is KingdomTwoCrowns.exe.’
• [T1027] Deobfuscation/Decompression – The payload is encrypted with a simple SUB/XOR scheme and then decrypted for execution; ‘The payload’s encryption is a simple combination of bytewise SUB and XOR.’
• [T1041] Exfiltration Over C2 Channel – The final backdoor stores and potentially exfiltrates data via a C2 path; includes references to an updated C2 address encoded in the data: ‘CopyC: updated C2 address (encoded with bytewise XOR 5 + BASE64)’.
• [T1204] User Execution – The infection begins when users run lure installers (Telegram, LetsVPN, WhatsApp); ‘When the malicious Telegram installer… is run, it installs and executes the sideloading package.’