New Cyber Attack Campaign Targets Chinese Speakers with Fake Software Sites
Overview of the Threat
A recently identified cyber attack campaign is utilizing fraudulent websites to deliver malware disguised as popular software, including WPS Office, Sogou, and DeepSeek. This deceptive strategy involves distributing malicious software such as the Sainbox Remote Access Trojan (RAT) and the open-source Hidden rootkit. Cybersecurity researchers have linked these activities to a Chinese hacking group known as Silver Fox, also referred to as Void Arachne. This attribution is based on identifiable similarities in their tactics, techniques, and procedures (TTPs) with previous operations attributed to the group.
The Mechanism of the Attack
These phishing websites—specifically "wpsice[.]com"—are primarily in Chinese and are targeted at Chinese-speaking users. They distribute corrupted MSI file installers that contain malware specifically designed to compromise systems. According to Leandro Fróes from Netskope Threat Labs, the malware payloads include variants of the Sainbox RAT and a form of the Hidden rootkit.
Historical Context
This isn’t the first instance of Silver Fox employing such tactics. A precedent was set in July 2024, when eSentire reported similar activity targeting Chinese-speaking Windows users through counterfeit Google Chrome sites, which were also used to deliver different variants of Gh0st RAT. Earlier this year, another campaign, disclosed by Morphisec, leveraged fake sites promoting web browsers to spread ValleyRAT, another variant of Gh0st RAT. This pattern has shown a consistent targeting of Chinese speakers, as evidenced by prior reports that also highlighted the use of Sainbox RAT alongside other threats like Purple Fox.
Details of the Latest Attack Wave
In this latest wave of attacks, the malicious MSI installers initiate a legitimate executable called "shine.exe." This executable sideloads a rogue Dynamic Link Library (DLL) file known as "libcef.dll" using DLL side-loading techniques. The DLL’s primary function is to extract shellcode from a text file labeled "1.txt" included within the installer. The extracted code subsequently activates another DLL payload, which in this scenario is identified as the Sainbox RAT.
Fróes elaborated on the capabilities of the malware, noting that the analyzed payload’s .data section contains an additional portable executable (PE) binary that may execute based on the specific configurations set by the malware. This allows for dynamic operation based on the environment in which it’s deployed.
The Role of Sainbox and Hidden Rootkit
The Sainbox RAT is equipped with functionalities for downloading additional payloads and capturing sensitive information. Meanwhile, the Hidden rootkit supplies attackers with a suite of stealthy features that allow them to conceal malicious processes and Windows Registry entries on compromised devices. This dual-threat strategy enables cybercriminals to maintain control over infected systems while minimizing the detection risk.
Using accessible variants of commercial RATs, like Gh0st RAT, combined with open-source kernel rootkits such as Hidden, provides these attackers with a powerful arsenal. It allows them extensive control and stealth capabilities without necessitating substantial custom development efforts.
Conclusion
As cyber threats continue to evolve, understanding the tactics and tools employed by threat actors like Silver Fox is crucial for enhancing cybersecurity measures. With the rising number of cyber attacks using deceptive strategies, users must remain vigilant, especially when downloading software from unofficial sources. Awareness and education about these threats can significantly mitigate the risks associated with such sophisticated campaigns.
