A sophisticated Ransomware-as-a-Service (RaaS) operation known as ‘Dragon’ has emerged as the dominant force within the notorious “Five Families” of crimeware, implementing advanced initial access techniques and exploitation methods that have alarmed cybersecurity experts.
The Dragon RaaS operation has been linked to a series of high-profile attacks against critical infrastructure, financial institutions, and healthcare organizations over the past three months, with ransom demands averaging $3.4 million per incident.
.webp)
Security researchers have observed Dragon operators leveraging a previously undocumented vulnerability in widely-used VPN appliances to establish persistent access to corporate networks.
.png
)
The exploitation chain begins with a specially crafted HTTP request that triggers memory corruption in the authentication module, effectively bypassing security controls.
SentinelOne researchers noted that Dragon operatives are using a custom-built command and control (C2) framework utilizing DNS tunneling to evade traditional network security monitoring.
“This represents a significant evolution in their operational security and reflects a level of sophistication previously only seen in nation-state actors,” explained the SentinelOne threat intelligence team in their analysis.
The threat actors behind Dragon have demonstrated a high level of technical proficiency, utilizing living-off-the-land techniques combined with novel obfuscation methods to remain undetected within compromised environments for an average of 26 days before initiating encryption routines.
During this dwell time, operators exfiltrate sensitive data for double-extortion leverage while conducting reconnaissance to identify critical systems.
Initial access vectors include phishing emails containing malicious Excel documents with embedded macros that download the first-stage loader through a PowerShell command.
The observed attack chain typically follows a pattern of using legitimate infrastructure to host malicious payloads.
Analysis of Exploitation Methods
The most concerning aspect of Dragon’s toolkit is their exploit for “CVE-2023-2359, CVE-2023-6925, CVE-2023-47784 which targets unpatched VPN appliances.
The exploitation involves sending a specially crafted HTTP POST request as shown below:-
POST /api/v1/authentication HTTP/1.1
Host: [target]
Content-Type: application/json
Content-Length: 182
{"auth_method":"local","username":"admin","password":"password","overwrite_previous_session":true,"override_length":"%x%x%x%x%x%x%x%x%x%s%s%s%n%n%n"}Once initial access is established, Dragon deploys a PowerShell loader that retrieves a second-stage DLL injected directly into memory to avoid detection. The loader contains sophisticated anti-analysis techniques including environment checks and sleeps between execution steps.
.webp)
The ransomware component itself utilizes a hybrid encryption scheme combining AES-256 for file encryption with RSA-4096 for key protection.
.webp)
Dragon operators have introduced a new feature that specifically targets database servers by corrupting transaction logs before encryption, making recovery particularly challenging even with backups.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
