RONINGLOADER: DragonBreath's New Path to PPL Abuse

SUMMARY :

Elastic Security Labs uncovered a campaign by DragonBreath APT using a multi-stage loader named RONINGLOADER to deploy an updated gh0st RAT variant. The malware employs various evasion techniques targeting Chinese EDR tools, including signed driver abuse, thread-pool injection, and PPL exploitation to disable Microsoft Defender. The infection chain begins with trojanized NSIS installers masquerading as legitimate software. RONINGLOADER leverages multiple stages to terminate antivirus processes, apply custom WDAC policies, and inject the final payload into trusted system processes. The campaign demonstrates an evolution in DragonBreath's tactics, showcasing adaptability and sophisticated evasion methods.

OPENCTI LABELS :

driver abuse,gh0st rat,apt,ppl abuse,chinese edr evasion,thread-pool injection,roningloader,wdac


AI COMMENTARY :

1. Introduction to RONINGLOADER: DragonBreath’s latest campaign introduces RONINGLOADER, a sophisticated multi-stage loader designed to deploy an updated gh0st RAT variant while evading detection by Chinese EDR solutions and disabling Microsoft Defender through PPL abuse.

2. Infection Chain and Trojanized Installers: The attack begins with NSIS installers masquerading as legitimate software. These installers are weaponized to deliver the first stage of RONINGLOADER under the guise of routine application updates, luring unsuspecting users into executing the malicious payload.

3. Multi-Stage Loader Architecture: RONINGLOADER operates in distinct phases that progressively escalate privileges and disable security controls. Initial components terminate running antivirus processes before loading a signed malicious driver, leveraging driver abuse to gain kernel-level execution without raising alarms.

4. PPL Exploitation and WDAC Policy Manipulation: In a notable escalation of technique, RONINGLOADER abuses Protected Process Light (PPL) to neutralize Microsoft Defender. This is achieved through custom Windows Defender Application Control (WDAC) policy modifications that allow the loader to bypass core security mechanisms and maintain persistence.

5. Thread-Pool Injection for Stealth: To further evade forensic analysis and sandboxing, the loader employs thread-pool injection. This advanced method injects code into system processes using existing thread pools, minimizing suspicious activity footprints and defeating many behavior-based detection engines.

6. Final Payload Deployment – gh0st RAT: After establishing a secure foothold and disabling defenses, RONINGLOADER injects its final payload, an updated gh0st RAT. This remote access trojan provides DragonBreath with full control over compromised systems, enabling data exfiltration, lateral movement, and long-term espionage on targeted networks.

7. Implications for Cyber Defense: The emergence of RONINGLOADER underscores the evolving threat landscape posed by APT groups such as DragonBreath. Security teams must enhance monitoring for driver loading events, PPL access attempts, and thread-pool injection behaviors. Updating WDAC policies and ensuring robust EDR coverage remain critical to detecting and mitigating such advanced evasion techniques.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


RONINGLOADER: DragonBreath's New Path to PPL Abuse