- Chinese users are being targeted by malware campaigns using spoofed download sites and SEO poisoning
- kkRAT features advanced capabilities including clipboard hijacking, remote monitoring, and antivirus evasion
- Attackers exploited GitHub Pages to host phishing sites
Chinese users looking to download popular browsers and communications software are being targeted by different malware variants[1], granting attackers remote access capabilities. This is according to multiple cybersecurity organizations, including Fortinet FortiGuard Labs, and Zscaler ThreatLabz.
The former discovered an SEO[2] poisoning campaign to deliver two Remote Access Trojans (RAT) – HiddenGh0st, and Winos – both variants of the infamous Gh0st RAT.
In the campaign, the threat actors created spoofed download pages for programs such as DeepL Translate, Google Chrome, Signal, Telegram, WhatsApp[3], and WPS Office, on typosquatted domains.
Stealing crypto and disabling AV
They then manipulated search rankings using different SEO plugins to trick people searching for these programs into visiting the wrong sites. The download seemingly deploys the wanted program, but the installer is trojanized, also serving one of the above-mentioned trojans.
At the same time, researchers from Zscaler observed a previously unknown trojan, called kkRAT, being disseminated. This campaign started in May this year and also includes Winos and FatalRAT.
kkRAT’s code is similar to that of Gh0st RAT and Big Bad Wolf, Zscaler explained: “kkRAT employs a network communication protocol similar to Ghost RAT, with an added encryption layer after data compression. The RAT’s features include clipboard manipulation to replace cryptocurrency addresses and the deployment of remote monitoring tools (i.e. Sunlogin, GotoHTTP).”
It is also capable of killing antivirus software[4] before running any malicious activity, to better hide its presence. Among the AV solutions targeted by the trojan are 360 Internet Security suite, 360 Total Security, HeroBravo System Diagnostics suite, and others.
Unlike Fortinet’s discovery, in this campaign the phishing sites are hosted on GitHub pages, leaning into the trust that the platform enjoys with its community to distribute the trojans. The GitHub account used in this campaign has since been terminated.
You might also like
References
- ^ malware variants (www.techradar.com)
- ^ SEO (www.techradar.com)
- ^ WhatsApp (www.techradar.com)
- ^ antivirus software (www.techradar.com)
- ^ The Hacker News (thehackernews.com)