Threat Research

RONINGLOADER: DragonBreath’s New Path to PPL Abuse

Elastic.co
RONINGLOADER: DragonBreath’s New Path to PPL Abuse

Elastic Security Labs uncovered a Chinese-language targeted campaign by Dragon Breath APT (APT-Q-27) distributing a modified gh0st RAT via trojanized NSIS installers and a unique loader dubbed RONINGLOADER. The multi-stage chain uses a signed kernel driver, WDAC policy tampering, PPL abuse of ClipUp to disable Microsoft Defender, and thread-pool based remote injection to terminate and bypass popular Chinese endpoint products. #DragonBreath #RONINGLOADER

Keypoints

  • Campaign delivers a modified gh0st RAT through trojanized NSIS installers masquerading as legitimate apps (e.g., Google Chrome, Microsoft Teams).
  • RONINGLOADER uses a signed kernel driver (ollama.sys) and custom service-loading to kill antivirus processes via a driver IOCTL that terminates processes by PID.
  • Operators apply an unsigned WDAC policy that blocks executables from Qihoo 360 and Huorong and enable an Unsigned System Integrity Policy to load it.
  • Protected Process Light (PPL) abuse via ClipUp is used to overwrite MsMpEng.exe, effectively disabling Microsoft Defender.
  • Thread-pool triggered remote injection (via VSS and svchost targets) and phantom DLL side-loading (Wow64Log.dll) are used to terminate AV processes and run payloads.
  • Multi-stage payloads include encrypted containers (custom .txt archives), batch scripts for UAC and firewall manipulation, and stages named goldendays.dll, trustinstaller.bin, Enpug.bin, and final gh0st RAT implant.
  • Final implant retains gh0st RAT functionality: TCP C2 (XOR/RC4 encrypted), beaconing with detailed victim telemetry, command execution, keylogging, clipboard hijacking, and persistence mechanisms.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – Malware uses batch scripts (1.bat, fhq.bat) to disable UAC and modify firewall rules (“1.bat disables User Account Control (UAC) by setting the EnableLUA registry value to 0”).
  • [T1218] Signed Binary Proxy Execution – Abuse of legitimate signed components (regsvr32.exe, ClipUp.exe) and use of a valid signed driver (ollama.sys) to execute and load malicious code (“regsvr32.exe /S “C:ProgramDataRoninggoldendays.dll””).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys – Persistence via scheduled batch in C:Windows that monitors and restarts malicious service (KPeYvogsPm.bat loop restarting MicrosoftSoftware2ShadowCop4yProvider).
  • [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking – Phantom DLL side-loading by placing 1.dll as C:WindowsSystem32Wow64Wow64Log.dll to be loaded by WOW64 processes (“1.dll is copied to C:WindowsSystem32Wow64Wow64Log.dll to be side-loaded”).
  • [T1204] User Execution – Initial infection via trojanized NSIS installers masquerading as legitimate software to lure users to run installers (NSIS installers packaged as Chrome/Teams installers).
  • [T1055] Process Injection – Multiple injection techniques including NtCreateSection/NtMapViewOfSection into vssvc.exe and CreateRemoteThread into TrustedInstaller/elevation_service (“creates sections, maps views into vssvc.exe, and executes shellcode via thread pool file-write trigger”).
  • [T1543.003] Create or Modify System Process: Windows Service – Malware creates temporary services (xererre1, ollama, MicrosoftSoftware2ShadowCop4yProvider) to load drivers and run stages (“Create a service named xererre1 to load the driver” and “creates new service named MicrosoftSoftware2ShadowCop4yProvider”).
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Overwriting MsMpEng.exe via ClipUp PPL abuse to disable Microsoft Defender (“runs C:WindowsSystem32ClipUp.exe with -ppl … which overwrites MsMpEng.exe with junk data”).
  • [T1486] Data Encrypted for Impact / T1490] Inhibit System Recovery – Use of driver-based termination and firewall restoration to prevent AV reporting and stop recovery operations (driver kills AV processes and firewall temporarily blocked then restored to prevent alerts).
  • [T1113] Screen Capture / [T1056.001] Keylogging – Implant implements keylogging and clipboard monitoring, writing captured data to %ProgramData%microsoft.dotnet.common.log (“implements a keystroke, clipboard, and active-window logger”).

Indicators of Compromise

  • [SHA-256] Stage 1 installer and loader – da2c58308e860e57df4c46465fd1cfc68d41e8699b4871e9a9be3c434283d50b (initial NSIS installer), c65170be2bf4f0bd71b9044592c063eaa82f3d43fcbd8a81e30a959bcaad8ae5 (Snieoatwtregoable.dll).
  • [SHA-256] Drivers and encrypted payloads – 2515b546125d20013237aeadec5873e6438ada611347035358059a77a32c54f5 (ollama.sys), 1613a913d0384cbb958e9a8d6b00fffaf77c27d348ebc7886d6c563a6f22f2b7 (tp.png encrypted payload).
  • [SHA-256] Stage artifacts and scripts – 395f835731d25803a791db984062dd5cfdcade6f95cc5d0f68d359af32f6258d (1.bat), 1c1528b546aa29be6614707cbe408cb4b46e8ed05bf3fe6b388b9f22a4ee37e2 (fhq.bat), 4d5beb8efd4ade583c8ff730609f142550e8ed14c251bae1097c35a756ed39e6 (1.dll).
  • [SHA-256] WDAC policy and stage DLLs – 33b494eaaa6d7ed75eec74f8c8c866b6c42f59ca72b8517b3d4752c3313e617c ({31351756-3F24-4963-8380-4E7602335AAE}.cip), 33b494eaaa6d7ed75eec74f8c8c866b6c42f59ca72b8517b3d4752c3313e617c (goldendays.dll) and fc63f5dfc93f2358f4cba18cbdf99578fff5dac4cdd2de193a21f6041a0e01bc (trustinstaller.bin).
  • [Domain] C2 infrastructure – qaqkongtiao[.]com – hardcoded C2 domain for final payload communications.

Read more: https://www.elastic.co/security-labs/roningloader