A brand new marketing campaign has been noticed leveraging faux web sites promoting widespread software program equivalent to WPS Workplace, Sogou, and DeepSeek to ship Sainbox RAT and the open-source Hidden rootkit.
The exercise has been attributed with medium confidence to a Chinese language hacking group referred to as Silver Fox (aka Void Arachne), citing similarities in tradecraft with earlier campaigns attributed to the risk actor.
The phishing web sites (“wpsice[.]com”) have been discovered to distribute malicious MSI installers within the Chinese language language, indicating that the targets of the marketing campaign are Chinese language audio system.
“The malware payloads embrace the Sainbox RAT, a variant of Gh0st RAT, and a variant of the open-source Hidden rootkit,” Netskope Risk Labs researcher Leandro Fróes stated.
This isn’t the primary time the risk actor has resorted to this modus operandi. In July 2024, eSentire detailed a marketing campaign that focused Chinese language-speaking Home windows customers with faux Google Chrome websites to ship Gh0st RAT.
Then earlier this February, Morphisec disclosed one other marketing campaign that additionally leveraged bogus websites promoting the net browser to distribute ValleyRAT (aka Winos 4.0), a special model of Gh0st RAT.
ValleyRAT was first documented by Proofpoint in September 2023 as a part of a marketing campaign that additionally singled out Chinese language-speaking customers with Sainbox RAT and Purple Fox.
Within the newest assault wave noticed by Netskope, the malicious MSI installers downloaded from the web sites are designed to launch a official executable named “shine.exe,” which sideloads a rogue DLL “libcef.dll” utilizing DLL side-loading strategies.
The DLL’s main goal is to extract shellcode from a textual content file (“1.txt”) current within the installer after which run it, in the end ensuing within the execution of one other DLL payload, a distant entry trojan referred to as Sainbox.
“The .knowledge part of the analyzed payload incorporates one other PE binary that could be executed, relying on the malware’s configuration,” Fróes defined. “The embedded file is a rootkit driver based mostly on the open-source undertaking Hidden.”
Whereas Sainbox comes fitted with capabilities to obtain further payloads and steal knowledge, Hidden provides attackers an array of stealthy options to cover malware-related processes and Home windows Registry keys on compromised hosts.
“Utilizing variants of commodity RATs, equivalent to Gh0st RAT, and open-source kernel rootkits, equivalent to Hidden, offers the attackers management and stealth with out requiring numerous customized growth,” Netskope stated.
