EXECUTIVE SUMMARY
A highly aggressive adware, linked to a company called Dragon Boss Solutions LLC, has been discovered to have a multi-stage attack chain designed to systematically disable security tools. The attack appears to target various sectors and regions, with a primary goal of disabling security applications and blocking their reinstallation. This allows the attackers to maintain control over compromised systems with ease. The malware is highly capable, running with SYSTEM privileges and using an off-the-shelf software update mechanism to conceal its malicious activities.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A highly aggressive adware, linked to a company called Dragon Boss Solutions LLC, has been discovered to have a multi-stage attack chain designed to systematically disable security tools. The attack appears to target various sectors and regions, with a primary goal of disabling security applications and blocking their reinstallation. This allows the attackers to maintain control over compromised systems with ease. The malware is highly capable, running with SYSTEM privileges and using an off-the-shelf software update mechanism to conceal its malicious activities.[emaillocker id="1283"]
It disables security tools, establishes WMI persistence, and maintains an open door to deploy arbitrary payloads, including ransomware or infostealers, upon demand. The malware's update mechanism is designed to fetch and execute payloads silently, without user interaction, and can deploy payloads of any type. The mechanism uses an off-the-shelf software update mechanism to deploy MSI and PowerShell-based payloads, which can be easily replaced with more malicious payloads. The malware's authors have also embedded comments in the script detailing its capabilities and the kill list targeting specific security vendors and browser installers.
The script maintains an embedded JSON database of AV vendor domains to block and creates scheduled tasks running as SYSTEM to ensure persistence and block AV reinstallation. This is a high-risk threat that requires immediate attention. The fact that the attackers have embedded comments detailing their intentions and have established a mechanism for easy payload deployment makes this threat particularly concerning. Organisations should be on high alert and take proactive measures to protect themselves against this threat. The organisation should ensure that all systems are patched and up-to-date, monitor for suspicious activity, and implement robust security measures to prevent the spread of malware. It is also essential to regularly back up data to ensure business continuity in case of a security breach.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1195 | Supply Chain Compromise | — |
| Initial Access | T1078 | Valid Accounts | — |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | — |
| Defense Evasion | T1036 | Masquerading | — |
| Discovery | T1082 | System Information Discovery | — |
| Collection | T1005 | Data from Local System | — |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Command and Control | T1102 | Web Service | — |
REFERENCES:
reports contain further technical details:
https://www.securityweek.com/10-domain-could-have-handed-hackers-25k-endpoints-including-in-ot-and-gov-networks/
https://www.huntress.com/blog/pups-grow-fangs