Elastic Security Labs has discovered a highly advanced malware campaign by the Dragon Breath APT group, featuring a new multi-stage loader called RoningLoader that employs sophisticated evasion and persistence techniques. The campaign primarily targets Chinese-speaking users and shows significant improvements in stealth, bypassing security defenses, and maintaining long-term access. #DragonBreath #RoningLoader
Keypoints
- The campaign uses trojanized installers impersonating trusted applications like Google Chrome and Microsoft Teams.
- It abuses Windows Defenderβs Protected Process Light (PPL) to disable security protections on infected systems.
- A legitimate, signed kernel driver is used to terminate antivirus processes at the kernel level, circumventing defenses.
- RoningLoader employs complex process injection techniques such as thread pool injection, reflective PE loading, and process hollowing.
- The final payload is an updated version of the gh0st RAT, enabling remote control, keylogging, clipboard hijacking, and cryptocurrency theft targeting systems.