The RONINGLOADER malware employs a multi-stage loader to spread a modified version of the gh0st RAT, specifically targeting Chinese users. It uses fake software installers to gain access to systems and works through multiple layers to disable security software, including popular products like Qihoo 360 Total Security. The malware cleverly employs a signed driver that appears legitimate to Windows, allowing it to shut down essential security processes.
Attackers behind RONINGLOADER, linked to the Dragon Breath APT group, have shown a significant evolution in their techniques. They have improved upon past campaigns by ensuring that if one method of disabling security fails, various backup strategies are employed. Elastic security analysts tracked this malicious activity using behavioral rules that target Protected Process Light abuse, revealing the malware’s sophisticated infection methods. The campaign demonstrates an alarming advancement in malware tactics, focusing on bypassing established security measures effectively.
👉 Pročitaj original: Cyber Security News
