A new and sophisticated threat has emerged, specifically targeting Chinese users, with the alarming capability to disable security tools. This malware, known as RONINGLOADER, operates as a multi-stage loader that disseminates a modified version of the notorious gh0st RAT. Utilizing clever evasion techniques, it effectively bypasses antivirus protections.
RONINGLOADER infiltrates systems through counterfeit software installers masquerading as legitimate applications, such as Google Chrome and Microsoft Teams. Once it gains entry, the malware employs a layered approach to infection, systematically disabling Windows Defender and popular Chinese security solutions like Qihoo 360 Total Security and Huorong.
This latest campaign underscores the evolving tactics of cyber attackers, showcasing their enhanced ability to penetrate security defenses. RONINGLOADER introduces its own signed driver, which appears legitimate to Windows but is designed to terminate security processes. Its multifaceted approach to disabling security measures is particularly concerning; if one method fails, the malware has multiple fallback strategies to ensure its success.
The Dragon Breath APT group, responsible for this campaign, has clearly refined its techniques based on insights gained from previous operations. Elastic security analysts, while monitoring detection systems, identified this campaign through a behavioral rule aimed at detecting abuse of Protected Process Light.
In their research, the team discovered that RONINGLOADER employs a technique that was publicly documented only months prior. This malware exploits a Windows feature intended to safeguard critical system processes, turning it against Windows Defender itself.
Attack Method and Infection Chain
The infection process begins with a trojanized NSIS installer that drops multiple components onto the victim’s system. When a user executes what they believe to be a standard software installer, they inadvertently activate two distinct installers.
One installer deploys the genuine software to avoid arousing suspicion, while the other quietly initiates the attack chain. The malware creates a directory at C:Program FilesSnieoatwtregoable and deposits two files: Snieoatwtregoable.dll and an encrypted file named tp.png.
The DLL file decrypts tp.png using a straightforward yet effective algorithm that combines XOR encryption with a rotation operation:
encrypted_file_content = _ROR1_(encryptedfilecontent ^ xor_key[indx), 4);Upon decryption, the malware loads fresh system libraries to eliminate any security hooks that might detect its actions. It then elevates its privileges using the runas command and scans for active security software.
Specifically, RONINGLOADER targets Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security by checking their process names. To terminate these processes, the malware employs a signed driver named ollama.sys, which has been digitally signed by Kunming Wuqi E-commerce Co., Ltd.
This driver registers a single function that accepts a process ID and terminates it using kernel-level APIs that standard security tools cannot intercept. For Qihoo 360, the malware takes additional precautions by blocking all network connections through firewall rules before injecting code into the Volume Shadow Copy service process.
This injection utilizes Windows thread pools with file write triggers, a technique that further aids in evading detection.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.