A brand new marketing campaign has been noticed leveraging pretend web sites promoting in style software program similar to WPS Workplace, Sogou, and DeepSeek to ship Sainbox RAT and the open-source Hidden rootkit.
The exercise has been attributed with medium confidence to a Chinese language hacking group known as Silver Fox (aka Void Arachne), citing similarities in tradecraft with earlier campaigns attributed to the risk actor.
The phishing web sites (“wpsice[.]com”) have been discovered to distribute malicious MSI installers within the Chinese language language, indicating that the targets of the marketing campaign are Chinese language audio system.
“The malware payloads embrace the Sainbox RAT, a variant of Gh0st RAT, and a variant of the open-source Hidden rootkit,” Netskope Menace Labs researcher Leandro Fróes mentioned.
This isn’t the primary time the risk actor has resorted to this modus operandi. In July 2024, eSentire detailed a marketing campaign that focused Chinese language-speaking Home windows customers with pretend Google Chrome websites to ship Gh0st RAT.
Then earlier this February, Morphisec disclosed one other marketing campaign that additionally leveraged bogus websites promoting the online browser to distribute ValleyRAT (aka Winos 4.0), a unique model of Gh0st RAT.
ValleyRAT was first documented by Proofpoint in September 2023 as a part of a marketing campaign that additionally singled out Chinese language-speaking customers with Sainbox RAT and Purple Fox.
Within the newest assault wave noticed by Netskope, the malicious MSI installers downloaded from the web sites are designed to launch a reputable executable named “shine.exe,” which sideloads a rogue DLL “libcef.dll” utilizing DLL side-loading methods.
The DLL’s main goal is to extract shellcode from a textual content file (“1.txt”) current within the installer after which run it, finally ensuing within the execution of one other DLL payload, a distant entry trojan known as Sainbox.
“The .knowledge part of the analyzed payload accommodates one other PE binary which may be executed, relying on the malware’s configuration,” Fróes defined. “The embedded file is a rootkit driver based mostly on the open-source undertaking Hidden.”
Whereas Sainbox comes fitted with capabilities to obtain extra payloads and steal knowledge, Hidden affords attackers an array of stealthy options to cover malware-related processes and Home windows Registry keys on compromised hosts.
“Utilizing variants of commodity RATs, similar to Gh0st RAT, and open-source kernel rootkits, similar to Hidden, offers the attackers management and stealth with out requiring lots of customized improvement,” Netskope mentioned.
