RONINGLOADER, a sophisticated multi-stage loader, has been detected leveraging signed drivers to disable security software and evade Endpoint Detection and Response (EDR) tools. This new threat primarily targets users in China, deploying a modified gh0stRAT through trojanized installers.
Installation and Execution
The malicious software disguises itself as legitimate applications like Chrome and Teams through trojanized NSIS installers. Once installed, it establishes a directory at C:\Program Files\Snieoatwtregoable\ containing critical components such as Snieoatwtregoable.dll and an encrypted file named tp.png. The DLL decrypts this file using a combination of XOR and a rotate-right operation.
Security Evasion Techniques
In a calculated move, RONINGLOADER loads new system libraries to bypass existing security protocols and elevate its privileges using the 'runas' command. It further scans for several security products including Microsoft Defender, Kingsoft Internet Security, and Qihoo 360 Total Security.
Utilizing the signed driver, ollama.sys, registered by Kunming Wuqi E-commerce Co., Ltd., the malware effectively terminates security processes through kernel-level API access. Notably, RONINGLOADER creates a temporary service to facilitate the driver deployment, issues termination commands, and subsequently removes the service to cover its tracks. Qihoo 360 is additionally targeted by blocking its network connections with specific firewall rules.
Attribution and Sophistication
According to security analysts from Elastic, this campaign is attributed to the Dragon Breath APT group. RONINGLOADER exhibits multiple fallback strategies to neutralize security defenses and evade detection tools, marking a notable advancement in its threat capacity. The use of Windows Protected Process Light behaviors and alternate code injection techniques highlights the malware's sophisticated approach to escape detection while maintaining effectiveness.
