Today's cybersecurity headlines are brought to you by ThreatPerspective

New Exploits Unleashed: HiddenGh0st, Winos, and kkRAT Threaten Chinese-Speaking Users via SEO Poisoning Campaign

Chinese-speaking users have been targeted by a sophisticated malware campaign that exploits search engine optimization (SEO) poisoning tactics to distribute malicious software. According to Fortinet FortiGuard Labs researcher Pei Han Liao, the attackers manipulated search rankings with SEO plugins and registered lookalike domains that closely mimicked legitimate software sites.

The malware families affected in this campaign include HiddenGh0st and Winos, both of which are variants of a remote access trojan called Gh0st RAT. The use of Winos has been attributed to a cybercrime group known as Silver Fox, which is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne.

The attack chain documented by Fortinet involves users searching for tools like DeepL Translate, Google Chrome, Signal, Telegram, WhatsApp, and WPS Office on Google being redirected to bogus sites to trigger the delivery of the malware using trojanized installers. A script named nice.js controls the malware delivery process on these sites.

The script follows a multi-step chain: it first calls a download link that returns JSON data, which includes a secondary link. That secondary link then points to another JSON response containing a link that redirects to the final URL of the malicious installer. The malicious installer hosts a series of checks to identify sandbox environments and virtual machines (VMs), as well as bypass security software.

It also requests administrator privileges, which, if granted, enables it to enumerate and temporarily disable all active network adapters, effectively interfering with the regular functioning of antivirus programs. Another notable aspect of the malware is its use of the Bring Your Own Vulnerable Driver (BYOVD) technique to disarm antivirus software installed on the host by reusing code from the RealBlindingEDR open-source project.

The malware specifically searches for five specific programs: 360 Internet Security suite, 360 Total Security, HeroBravo System Diagnostics suite, Kingsoft Internet Security, and QQ电脑管家. Once the relevant antivirus-related processes have been terminated, the malware takes steps to create a scheduled task that's run with SYSTEM privileges to execute a batch script to ensure that they are automatically killed every time after a user logs in to the machine.

Furthermore, it modifies Windows Registry entries for 360 Total Security with the likely goal of disabling network checks. After all these actions are carried out, the malware proceeds to re-enable network adapters to restore the system's network connectivity. The primary responsibility of the installer is to launch shellcode, which, in turn, launches another obfuscated shellcode file named "2025.bin" from a hard-coded URL.

This newly retrieved shellcode serves as a downloader for an artifact ("output.log") that subsequently reaches out to two different URLs to fetch two ZIP archives - trx38.zip and p.zip. The malware then will create a shortcut for the legitimate executable extracted from trx38.zip, add this shortcut to the startup folder for persistence, and execute the legitimate executable to sideload the malicious DLL.

The malicious DLL decrypts and executes the final payload from the file longlq.cl. The final payload of the campaign varies based on the second ZIP archive that is downloaded. The attackers have also used a separate malware called kkRAT, which shares code similarities with both Gh0st RAT and Big Bad Wolf (大灰狼), a RAT typically leveraged by China-based cybercriminals.

The use of Winos has been attributed to a cybercrime group known as Silver Fox, which is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne. The attackers have used a separate malware called kkRAT, which shares code similarities with both Gh0st RAT and Big Bad Wolf (大灰狼), a RAT typically leveraged by China-based cybercriminals.

The attack campaign uses fake installer pages mimicking popular software like DingTalk to deliver the three trojans. The phishing sites are hosted on GitHub pages, allowing the bad actors to abuse the trust associated with a legitimate platform for malware distribution.







Chinese-speaking users have been targeted by a sophisticated malware campaign that exploits search engine optimization (SEO) poisoning tactics to distribute malicious software. According to Fortinet FortiGuard Labs researcher Pei Han Liao, the attackers manipulated search rankings with SEO plugins and registered lookalike domains that closely mimicked legitimate software sites. By using convincing language and small character substitutions, they tricked victims into visiting spoofed pages and downloading malware.

The malware families affected in this campaign include HiddenGh0st and Winos, both of which are variants of a remote access trojan called Gh0st RAT. The use of Winos has been attributed to a cybercrime group known as Silver Fox, which is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne.

The attack chain documented by Fortinet involves users searching for tools like DeepL Translate, Google Chrome, Signal, Telegram, WhatsApp, and WPS Office on Google being redirected to bogus sites to trigger the delivery of the malware using trojanized installers. A script named nice.js controls the malware delivery process on these sites. The script follows a multi-step chain: it first calls a download link that returns JSON data, which includes a secondary link. That secondary link then points to another JSON response containing a link that redirects to the final URL of the malicious installer.

The malicious installer hosts a series of checks to identify sandbox environments and virtual machines (VMs), as well as bypass security software. It also requests administrator privileges, which, if granted, enables it to enumerate and temporarily disable all active network adapters, effectively interfering with the regular functioning of antivirus programs.

Another notable aspect of the malware is its use of the Bring Your Own Vulnerable Driver (BYOVD) technique to disarm antivirus software installed on the host by reusing code from the RealBlindingEDR open-source project. The malware specifically searches for five specific programs: 360 Internet Security suite, 360 Total Security, HeroBravo System Diagnostics suite, Kingsoft Internet Security, and QQ电脑管家.

Once the relevant antivirus-related processes have been terminated, the malware takes steps to create a scheduled task that's run with SYSTEM privileges to execute a batch script to ensure that they are automatically killed every time after a user logs in to the machine. Furthermore, it modifies Windows Registry entries for 360 Total Security with the likely goal of disabling network checks.

After all these actions are carried out, the malware proceeds to re-enable network adapters to restore the system's network connectivity. The primary responsibility of the installer is to launch shellcode, which, in turn, launches another obfuscated shellcode file named "2025.bin" from a hard-coded URL. This newly retrieved shellcode serves as a downloader for an artifact ("output.log") that subsequently reaches out to two different URLs to fetch two ZIP archives - trx38.zip and p.zip.

The malware then will create a shortcut for the legitimate executable extracted from trx38.zip, add this shortcut to the startup folder for persistence, and execute the legitimate executable to sideload the malicious DLL. The malicious DLL decrypts and executes the final payload from the file longlq.cl. The final payload of the campaign varies based on the second ZIP archive that is downloaded.

The attackers have also used a separate malware called kkRAT, which shares code similarities with both Gh0st RAT and Big Bad Wolf (大灰狼), a RAT typically leveraged by China-based cybercriminals. kkRAT employs a network communication protocol similar to Ghost RAT, with an added encryption layer after data compression.

The RAT's features include clipboard manipulation to replace cryptocurrency addresses and the deployment of remote monitoring tools (i.e. Sunlogin, GotoHTTP). The attack campaign uses fake installer pages mimicking popular software like DingTalk to deliver the three trojans. The phishing sites are hosted on GitHub pages, allowing the bad actors to abuse the trust associated with a legitimate platform for malware distribution.

The primary responsibility of the installer is to launch shellcode, which, in turn, launches another obfuscated shellcode file named "2025.bin" from a hard-coded URL. This newly retrieved shellcode serves as a downloader for an artifact ("output.log") that subsequently reaches out to two different URLs to fetch two ZIP archives - trx38.zip and p.zip.

The malicious DLL decrypts and executes the final payload from the file longlq.cl. The final payload of the campaign varies based on the second ZIP archive that is downloaded. This malware, kkRAT, has been identified by Zscaler researcher Muhammed Irfan V A, who noted that it shares code similarities with both Gh0st RAT and Big Bad Wolf (大灰狼), a RAT typically leveraged by China-based cybercriminals.

The use of Winos has been attributed to a cybercrime group known as Silver Fox, which is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne. The attackers have used a separate malware called kkRAT, which shares code similarities with both Gh0st RAT and Big Bad Wolf (大灰狼), a RAT typically leveraged by China-based cybercriminals.

The attack campaign uses fake installer pages mimicking popular software like DingTalk to deliver the three trojans. The phishing sites are hosted on GitHub pages, allowing the bad actors to abuse the trust associated with a legitimate platform for malware distribution. The attackers have used a separate malware called kkRAT, which shares code similarities with both Gh0st RAT and Big Bad Wolf (大灰狼), a RAT typically leveraged by China-based cybercriminals.

The primary responsibility of the installer is to launch shellcode, which, in turn, launches another obfuscated shellcode file named "2025.bin" from a hard-coded URL. This newly retrieved shellcode serves as a downloader for an artifact ("output.log") that subsequently reaches out to two different URLs to fetch two ZIP archives - trx38.zip and p.zip.

The malicious DLL decrypts and executes the final payload from the file longlq.cl. The final payload of the campaign varies based on the second ZIP archive that is downloaded. This malware, kkRAT, has been identified by Zscaler researcher Muhammed Irfan V A, who noted that it shares code similarities with both Gh0st RAT and Big Bad Wolf (大灰狼), a RAT typically leveraged by China-based cybercriminals.

The use of Winos has been attributed to a cybercrime group known as Silver Fox, which is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne. The attackers have used a separate malware called kkRAT, which shares code similarities with both Gh0st RAT and Big Bad Wolf (大灰狼), a RAT typically leveraged by China-based cybercriminals.

The attack campaign uses fake installer pages mimicking popular software like DingTalk to deliver the three trojans. The phishing sites are hosted on GitHub pages, allowing the bad actors to abuse the trust associated with a legitimate platform for malware distribution. The attackers have used a separate malware called kkRAT, which shares code similarities with both Gh0st RAT and Big Bad Wolf (大灰狼), a RAT typically leveraged by China-based cybercriminals.

The primary responsibility of the installer is to launch shellcode, which, in turn, launches another obfuscated shellcode file named "2025.bin" from a hard-coded URL. This newly retrieved shellcode serves as a downloader for an artifact ("output.log") that subsequently reaches out to two different URLs to fetch two ZIP archives - trx38.zip and p.zip.

The malicious DLL decrypts and executes the final payload from the file longlq.cl. The final payload of the campaign varies based on the second ZIP archive that is downloaded.

The attackers have used a separate malware called kkRAT, which shares code similarities with both Gh0st RAT and Big Bad Wolf (大灰狼), a RAT typically leveraged by China-based cybercriminals.

The use of Winos has been attributed to a cybercrime group known as Silver Fox, which is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne. The attackers have used a separate malware called kkRAT, which shares code similarities with both Gh0st RAT and Big Bad Wolf (大灰狼), a RAT typically leveraged by China-based cybercriminals.

The attack campaign uses fake installer pages mimicking popular software like DingTalk to deliver the three trojans. The phishing sites are hosted on GitHub pages, allowing the bad actors to abuse the trust associated with a legitimate platform for malware distribution.




Related Information: