A China-based cybercriminal group known as Silver Fox (also referred to as SwimSnake / Valley Thief / Void Arachne) is currently using a typosquatting technique to carry out a malicious campaign imitating many popular legitimate programs and deliver an undetected remote access trojan (RAT) called AtlasCross RAT.
Cybersecurity company Hexastrike reported that these criminals have created at least eleven fraudulent domains impersonating legitimate well-known"tools" such as:
1. app-zoom.com (Zoom)
2. signal-signal.com (Signal)
3. telegrtam.com.cn (Telegram)
4. www-surfshark.com (Surfshark VPN)
5. www-teams.com (Microsoft Teams)
6. trezor-trezor.com (Trezor)
7. And other fraudulent domains related to VPNs; encrypted messaging software; video conferencing; cryptocurrency tracking; and e-commerce applications (example: .).
Users visiting these fake domains are directed to download ZIP archives that contain trojanized installers of the application, which are disguised using an Autodesk binary to disguise the trojanized version of the application, and then execute the AtlasCross RAT in-memory.
The entire attack consists of loading the payload by a process known as a shellcode loader, that the attacker has created to decrypt the RAT's Gh0st configuration, connect to the RAT headquarters at bifa668[.]com using TCP 9899, and load the final payload.
All observed installers are signed with the same stolen Extended Validation certificate issued to a Vietnamese company (DUC FABULOUS CO.,LTD), a tactic increasingly used by cybercriminals to bypass security checks.
Key Features of AtlasCross RAT
AtlasCross represents a clear evolution from the group’s previous Gh0st RAT derivatives (such as ValleyRAT, Gh0stCringe, and HoldingHands RAT).
The following are the primary features:
1. PowerChell Framework integration that disables AMSI, ETW, CLM and ScriptBlock logging via an executing engine based on the native C/C++ version of PowerShell.
2. Excellent anti-analysis and anti-evasion capability including terminating Chinese security products (360 Safe, Huorong, KingSoft and QQ PC Manager) from the TCP level.
3. Ability to DLL inject to WeChat, hijack RDP sessions, perform file operations (copy, move, delete etc.), execute shell commands and persist through scheduled tasks.
4. C2 communications are encrypted with ChaCha20 using a randomly generated key that is different for each packet using a hardware-based random number generator (RNG).
Silver Fox’s Broader Activity
Silver Fox has been described by Chinese security firm Knownsec 404 as one of the most active threats in recent years. The group is focusing on individuals working in finance or management positions within organizations, utilizing WeChat, QQ as well as sending them phishing emails and convincing them to download fake software from fraudulent sites. Their operations have now expanded to South and Southeast Asia, including: Japan, Malaysia, Philippines, Thailand, Indonesia, Singapore and India.
Their operation tactics now appear to be very adaptable and include:
1. Use of typosquatting domains along with fake applications.
2. Using malicious PDFs to deliver the ValleyRAT.
3. Using legitimate (but misconfigured) Chinese RMM tools such as SyncFuture TSM for malicious purposes.
4. Using Python-based stealers disguised as WhatsApp to steal ID's/Passwords.
The most current tactics being used by the group include using spear-phishing emails with tax compliance messages, salary increase messages, and employee stock ownership messages to target Japanese manufacturers, ultimately delivering the Valley RAT for purposes of remote controlling and exfiltrating data.
ESET, Sekoia and Hexastrike security researchers report that the Silver Fox is using a dual-track approach with both opportunistic cybercrime campaigns and more refined longer term access operations.
Recommendations
1. Users of Chinese language should be warned to exercise extreme caution when downloading software from unofficial / unverified sites.
2. Be aware of your domain name; there are still many typos and typosquatting.
3. Do not download ZIP files or installations from websites that you do not recognize, regardless as to whether or not they appear to offer common downloads.
4. Continue to keep your endpoint security software and protection continually updated as well as keep an eye out for any unusual scheduled programs and/or any abnormal network connection activity.
The tactics used in this case are an example of how quickly the criminals can adapt to their tooling and continue with the same primitive yet successful tactics of social engineering, such as using typosquatting again. Organizations with employees residing within China or are of a Chinese language need to reinforce their training with respect to software download and suspicious links.
Source: The Hacker News