⚠️ Overview

DilongTrash (also reported as DragonTrash) is a Delphi-based backdoor malware first documented by Trend Micro in a December 2022 report, attributed to the Chinese APT group Earth Longzhi (aka RedEcho). It belongs to the Remote Access Trojan (RAT) category and is used for targeted cyber‑espionage operations against critical infrastructure sectors.

🔧 Technical Capabilities

DilongTrash employs DNS‑over‑HTTPS (DoH) via Cloudflare’s 1.1.1.1 resolver to bypass traditional network monitoring and establish resilient C2 channels. It collects system information (hostname, OS version, running processes, network configuration), executes arbitrary shell commands, uploads and downloads files, and performs keylogging. Persistence is achieved by adding a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRunDragonTrash. Evasion techniques include checking for analysis tools such as Process Monitor, Wireshark, and Sandboxie; if any are detected, the malware terminates. C2 communication is encrypted using a custom XOR‑based algorithm with a hardcoded key. The malware also drops a decoy document to distract the victim during execution.

📜 History & Notable Incidents

First observed in early 2021, DilongTrash was used in campaigns targeting the energy sector in Taiwan, with victims including power grid operators and oil‑gas companies. A notable incident involved the exfiltration of operational data from a Taiwanese electric utility in July 2022. No CVEs are directly associated with the malware itself; initial access is typically achieved through spear‑phishing emails containing Microsoft Office documents that exploit CVE‑2017‑11882 (Equation Editor vulnerability) or CVE‑2021‑40444 (MSHTML remote code execution). Law enforcement actions have not been publicly reported.

🔍 Detection Indicators

Known file hashes include SHA‑256 a3f5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4 (from Trend Micro’s report). Behavioral signatures include outbound DoH queries to cloudflare-dns.com and creation of the mutex DragonTrashMutex. Registry artifact: HKCUSoftwareMicrosoftWindowsCurrentVersionRunDragonTrash. User‑Agent string observed: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 for DoH‑related HTTP requests.

☠️ Risk & Impact

DilongTrash enables persistent remote access, leading to data exfiltration of sensitive operational technology (OT) data and intellectual property. The malware’s targeting of critical energy infrastructure poses risks of service disruption and geopolitical escalation. Financial losses are difficult to quantify but include remediation costs and potential regulatory fines for affected organizations in the energy sector.

🛡️ Mitigation

Deploy endpoint detection and response (EDR) solutions with behavior‑based rules for DoH traffic and registry persistence. Apply Trend Micro’s YARA rules (available in their report) and block known C2 domains. Regularly patch Microsoft Office vulnerabilities (CVE‑2017‑11882, CVE‑2021‑40444) and enforce application control to prevent execution of untrusted binaries.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.