Back to News
Market Impact: 0.32

RONINGLOADER Weaponizes Signed Drivers to Disable Defender and Evade EDR Tools

MSFTGOOGLGOOGESTC
Cybersecurity & Data PrivacyTechnology & Innovation
RONINGLOADER Weaponizes Signed Drivers to Disable Defender and Evade EDR Tools

RONINGLOADER is a multi-stage loader spreading a modified gh0st RAT via trojanized NSIS installers posing as legitimate apps (e.g., Chrome, Teams) that installs a stealth payload, decrypts an embedded DLL and escalates privileges to bypass endpoint defenses; Elastic attributes the campaign to the Dragon Breath APT and flagged it using a behavioral rule for Protected Process Light abuse. The malware carries a legitimately signed kernel driver (ollama.sys, signed by Kunming Wuqi E‑commerce Co., Ltd.) that uses kernel APIs to terminate Microsoft Defender and popular Chinese security products (Qihoo 360, Kingsoft, Tencent, Huorong), and for Qihoo 360 additionally blocks network traffic with firewall rules and injects into the Volume Shadow Copy service; it employs multiple fallback methods to ensure security-tool shutdown. The operation demonstrates increased attacker sophistication and persistence, elevating the threat to enterprise endpoints in China and underscoring the need for vendor patches, kernel-level detection and behavioral defenses beyond signature-based AV.

Analysis

RONINGLOADER is a multi-stage loader spreading a modified gh0st RAT via trojanized NSIS installers that impersonate legitimate apps such as Google Chrome and Microsoft Teams; the installer drops Snieoatwtregoable.dll and an encrypted tp.png to C:\Program Files\Snieoatwtregoable\, decrypts the payload with an XOR+rotate routine, loads clean system libraries, elevates via runas and enumerates processes to target Microsoft Defender, Kingsoft, Tencent PC Manager, Qihoo 360 Total Security and Huorong. Elastic security analysts attribute the campaign to the Dragon Breath APT and detected it with a behavioral rule for Protected Process Light abuse, noting the malware reuses a technique publicly documented months earlier. The campaign carries a legitimately signed kernel driver, ollama.sys (signed by Kunming Wuqi E-commerce Co., Ltd.), which exposes a kernel API to terminate protected security processes; the loader writes the driver, registers a temporary service to load it, issues termination commands and deletes the service. For Qihoo 360 the malware adds firewall block rules and injects into the Volume Shadow Copy service using thread-pool/file-write triggers, and the code contains multiple fallback methods to disable endpoint defenses, underscoring elevated attacker sophistication and the need for kernel-level behavioral detection and vendor patches.

AllMind AI Terminal

AI-powered research, real-time alerts, and portfolio analytics for institutional investors.

Request a Demo

Market Sentiment

Overall Sentiment

moderately negative

Sentiment Score

-0.45

Ticker Sentiment

ESTC0.30
GOOG0.00
GOOGL0.00
MSFT-0.50

Key Decisions for Investors

  • Monitor Microsoft security disclosures and telemetry closely and consider hedging or trimming near-term MSFT exposure until Microsoft demonstrates effective mitigation of Protected Process Light/driver abuse risks
  • Consider increasing exposure to Elastic (ESTC) and other EDR/behavioral security vendors that benefit from demand for kernel-level detection and PPL monitoring, as Elastic’s detection work is a positive signal
  • Maintain or cautiously hold GOOGL/GOOG positions since Chrome/Teams were used as lures but are not reported compromised, and avoid knee-jerk reallocations absent broader enterprise-impact disclosures