Full Report
The threat actor known as Dragon Breath has been observed making use of a multi-stage loader codenamed RONINGLOADER to deliver a modified variant of a remote access trojan called Gh0st RAT. The campaign, which is primarily aimed at Chinese-speaking users, employs trojanized NSIS installers masquerading as legitimate like Google Chrome and Microsoft Teams, according to Elastic Security Labs. "The
Analysis Summary
# Threat Actor: Dragon Breath
## Attribution & Identity
**Known Aliases:** APT-Q-27, Golden Eye.
**Associated Groups:** Linked to the larger Chinese-speaking entity tracked as Miuuti Group.
**Historical Activity:** Active since at least 2020. Previously highlighted in May 2023 for double-dip DLL side-loading campaigns.
## Activity Summary
The actor is currently running a campaign utilizing the multi-stage loader **RONINGLOADER** to deploy a modified variant of the **Gh0st RAT**. The campaign employs sophisticated evasion techniques aimed at neutralizing popular endpoint security products in the Chinese market.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Uses trojanized NSIS installers masquerading as legitimate software (e.g., Google Chrome, Microsoft Teams).
- **Infection Chain:** Multi-stage delivery involving two embedded NSIS installers; one benign (`letsvpnlatest.exe`) and one malicious (`Snieoatwtregoable.exe`).
- **File Execution:** The malicious NSIS binary delivers a DLL and an encrypted file ("tp.png") which is read to extract shellcode for in-memory execution.
- **Evasion/Defense Evasion:**
- Loads a fresh `ntdll.dll` to remove userland hooks.
- Attempts privilege escalation using the `runas` command.
- Scans for and terminates security processes (Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, Qihoo 360 Total Security).
- Abuses **Protected Process Light (PPL)** via custom WDAC policies and tampering with the Microsoft Defender binary.
- Uses a legitimately signed driver (**ollama.sys**) to terminate processes via a temporary service ("xererre1").
- If Qihoo 360 is present, it blocks network communication via the firewall, gains `SeDebugPrivilege`, and injects shellcode into the VSS service process (`vssvc.exe`) using the **PoolParty** injection technique.
- Executes batch scripts post-security tool termination to bypass UAC and set firewall rules to block Qihoo 360 communication.
## Targeting
- **Sectors:** Online gaming and gambling industries (based on Miuuti Group association).
- **Geography:** Primarily aimed at **Chinese-speaking users**, and previously targeted users in the Philippines, Japan, Taiwan, Singapore, and Hong Kong.
- **Victims:** Not specifically named, but targeting organizations within the aforementioned geographies and sectors.
## Tools & Infrastructure
- **Malware families used:** RONINGLOADER (multi-stage loader), Gh0st RAT (modified variant).
- **Infrastructure:** Uses a signed driver named "ollama.sys".
## Implications
Dragon Breath is using highly advanced, layered evasion techniques, specifically tailored to bypass security solutions prevalent in the Chinese market (like 360 Total Security). The deliberate disabling of security tools and the use of legitimate signed drivers (living off the land techniques) indicate a sophisticated, nation-state-level capability focused on ensuring persistence and stealthy remote access via Gh0st RAT.
## Mitigations
- Monitor for the execution of trojanized NSIS installers disguised as legitimate software updates.
- Watch for attempts to manipulate the firewall or introduce/load unauthorized drivers (e.g., "ollama.sys").
- Implement enhanced monitoring around the Volume Shadow Copy Service (VSS) process (`vssvc.exe`) for unexpected process injection or privilege escalation attempts.
- Deploy and enforce custom WDAC policies to restrict the execution of unsigned or untrusted drivers.
- Investigate system behavior related to PPL abuse and attempts to disable or terminate security software processes.