A sophisticated new malware strain, dubbed RONINGLOADER, is actively targeting Chinese users, employing a dangerous tactic to neutralize cybersecurity defenses. This multi-stage loader, which deploys a modified version of the gh0st RAT, utilizes intricate methods to bypass antivirus software and evasion detection and response (EDR) tools. The discovery highlights an alarming escalation in the sophistication of attack vectors, particularly those aimed at crippling critical security mechanisms on infected systems.
The initial point of entry for RONINGLOADER is delivered through deceptive software installers that masquerade as legitimate applications such as Google Chrome and Microsoft Teams. Once a user inadvertently executes these malicious installers, the malware embarks on a multi-layered infection process designed to systematically disable both Windows Defender and popular Chinese security products, including Qihoo 360 Total Security and Huorong. The attackers’ ability to subvert these widely used security solutions underscores the evolving threat landscape for digital security.
RONINGLOADER Weaponizes Signed Drivers to Disable Defender and Evade EDR Tools
The primary innovation of RONINGLOADER lies in its audacious use of a signed driver to achieve its objectives. This driver, which appears legitimate to the Windows operating system, is instrumental in terminating security processes. The campaign is attributed to the Dragon Breath APT group, indicating a strategic and well-resourced threat actor that has apparently learned from and refined previous operational methods.
Elastic security analysts identified the campaign through behavioral analysis, specifically employing a rule engineered to detect abuses of Windows’ Protected Process Light feature. This technique allows the malware to gain privileged access and disrupt security software. Notably, RONINGLOADER leverages a method that was publicly documented mere months prior to its observed deployment, demonstrating the rapid adaptation of new attack techniques by malicious actors. By exploiting a feature intended for system process protection, the malware effectively turns a security mechanism against itself.
Attack Method and Infection Chain
The infection process commences with a trojanized NSIS installer, a common software packaging format. Upon execution, this installer drops multiple components onto the compromised system. The user, believing they are installing legitimate software, unknowingly triggers two distinct installer processes. One deploys the genuine application as intended, thereby avoiding immediate suspicion from the user. Simultaneously, the second installer initiates the malicious attack chain in the background.
The malware establishes a clandestine directory at C:Program FilesSnieoatwtregoable. Within this location, it places two files: Snieoatwtregoable.dll and an encrypted file named tp.png. The Snieoatwtregoable.dll module is responsible for decrypting the tp.png file. This decryption employs a straightforward yet effective algorithm that combines XOR encryption with a rotate operation, illustrated by the following conceptual process: `*encrypted_file_content = _ROR1_(*encrypted_file_content ^ xor_key[indx), 4);`
Following successful decryption, the malware proceeds to load fresh system libraries. This action aims to neutralize any security hooks that might otherwise detect its subsequent malicious activities. Subsequently, it escalates its privileges using the runas command, a standard Windows utility for executing commands with different credentials. The malware then systematically scans for active security software running on the system.
RONINGLOADER specifically targets Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security by scrutinizing the names of active processes. To terminate these identified security processes, the malware deploys the aforementioned signed driver, ollama.sys. This driver bears a digital signature from Kunming Wuqi E-commerce Co., Ltd., lending it an air of legitimacy within the Windows environment. The driver registers a single kernel-level function capable of accepting a process ID and forcefully terminating it. This capability bypasses the protections afforded to many security tools, which often rely on user-mode APIs that can be intercepted.
The operational workflow involves writing the ollama.sys driver to disk, creating a temporary service to load it into memory, issuing the command to terminate the targeted security process, and then immediately deleting the temporary service to erase any traces of its activity. For Qihoo 360 Total Security, RONINGLOADER employs additional countermeasures. Before injecting code, it establishes firewall rules to block all network connections originating from or destined for the security software, effectively isolating it. It then proceeds to inject code into the Volume Shadow Copy service process, a technique that leverages Windows thread pools and file write triggers to evade detection by security monitoring systems.
The ongoing evolution of RONINGLOADER and its ability to disable robust security solutions by exploiting signed drivers and documented vulnerabilities signals a persistent and growing threat. Security analysts anticipate that the Dragon Breath APT group will continue to refine their tactics, potentially targeting other regions or expanding their arsenal of evasion techniques. Users are advised to maintain vigilance and ensure their security software is up-to-date to mitigate the risks posed by such advanced persistent threats.