Various industrial organizations in the Asia-Pacific region (APAC) region are being targeted as part of phishing attacks designed to provide known malware called Fatalrat.
“This threat was coordinated by attackers using legitimate Chinese cloud content delivery network (CDN) MyQcloud and Youdao Cloud Notes services as part of their attack infrastructure,” Kaspersky ICS Cert said on Monday It states in the report.
“Attackers have adopted a sophisticated multi-stage payload delivery framework to ensure detection evasion.”
This activity has selected government agencies and industrial organizations, particularly manufacturing, construction, information technology, telecommunications, healthcare, electricity and energy, large-scale logistics and transportation, Taiwan, Malaysia, China, Japan, Thailand and Singapore. , Philippines, Vietnam, Hong Kong.
The lure attachments used in email messages suggest that phishing campaigns are designed to chase Chinese-speaking individuals.
It is worth noting that the Fatalrat campaign previously used fake Google ads as distribution vectors. In September 2023, Proofpoint recorded another email phishing campaign that breeds various malware families, including Fatalrat, Gh0st Rat, Purple Fox, and Valleyrat.
An interesting aspect of both intrusion sets is that they primarily target Chinese speakers and Japanese organizations. Some of these activities stem from threat actors tracked as Silver Fox APT.
The starting point for the latest attack chain is a phishing email containing a ZIP archive with Chinese file names. This launches a first stage loader that makes a request to Youdao Cloud Notes to make a request to Youdao Cloud Notes. DLL files and FatalRat Configurator.
For that part, the Configurator module downloads the contents of another note from Note.youdao[.]com to access configuration information. It is also designed to open decoy files to avoid raising doubt.
DLL, on the other hand, is the second stage loader responsible for downloading and installing FatalRat payloads from the server (“myqcloud[.]com) is specified in the configuration, displaying fake error messages about issues with the application running issue.
Key features of the campaign include the use of DLL sideloading techniques to advance multi-stage infection sequences and load FatalRat malware.
“Threatening actors use black and white methods to help actors take advantage of legitimate binary capabilities to make a series of events appear like normal activities,” Kaspersky said. “The attackers also used DLL sideload technology to hide the persistence of malware in legitimate process memory.”
“Fatalrat performs 17 checks on the indicator that malware is running in a virtual machine or sandbox environment. If any of the checks fail, the malware will stop running.”
It also collects information about the system and the various security solutions installed within it before terminating all instances of the rundll32.exe process and waiting for further instructions from the Command and Control (C2) server.
Fatalrat is a feature packed Troy equipped to search and delete user data in browsers such as Google Chrome and Internet Explorer, which turns the screen on and off. It’s a wooden horse. Start/stop file operations, and proxies, and terminate any process.
Currently, it is unknown what is behind the attack using Fatalrat, but overlapping with other campaigns and tactical and instrumentation means that “all of them reflect a different set of attacks that are related in some way It suggests that there is. Kaspersky rates with moderate confidence that a Chinese-speaking threat actor is behind it.
“The Fatalrat feature offers attackers almost endless possibilities for developing attacks: spreading over the network, installing remote management tools, manipulating devices, stealing, and removing sensitive information,” he said. said the person.
“The consistent use of services and interfaces in Chinese at various stages of the attack, as well as other indirect evidence, suggests that Chinese-speaking actors may be involved.”
Source link
