Fake installers distributed through Chinese-language websites are infecting users with a remote access trojan (RAT) and a rootkit, Netskope reports.
Masquerading as legitimate software, such as WPS Office, Sogou, and DeepSeek, the installers were seen deploying a Gh0stRAT variant named Sainbox RAT, and the open source Hidden rootkit, likely to achieve stealthy access to victims’ systems.
The fake sites observed in this campaign, Netskope says, mimic the official websites of legitimate software. However, when the user downloads the fake installers (MSI files and a PE installer), the file is fetched from a different URL.
Upon execution, the MSI files run a legitimate file named ‘Shine.exe’, which is used to sideload a malicious DLL, and execute the genuine installer software to hide the nefarious operation. A TXT file containing shellcode and a malware payload is also dropped.
The DLL, a fake version of the libcef library, part of the Chromium Embedded Framework (CEF), starts in a function called by Shine.exe. The function sets persistence, loads the contents of the TXT file in memory, and redirects the control flow to the start of the shellcode.
Based on the open source tool sRDI, the shellcode is meant to reflectively load a DLL into memory and call two functions, including one that starts the malicious payload’s activity.
The DLL payload was identified as the Sainbox RAT, which contained in its .data section a rootkit driver based on the Hidden project. Embedded as a PE binary, the rootkit would be executed in certain malware configurations.
“The primary goal of the rootkit is to conceal items such as processes, files, and registry keys and values. It does so by using a mini-filter as well as kernel callbacks. It can also protect itself and specific processes, and contains a user interface that is accessed using IOCTL,” Netskope says.
The Sainbox RAT allows attackers to fetch and run additional payloads, steal information, and perform other malicious actions. The Hidden rootkit provides stealth by hiding payloads, preventing process termination, and preventing detection.
According to Netskope, the campaign appears to have been orchestrated by the China-linked Silver Fox hacking group, based on the employed TTPs, the use of fake websites and installers for popular Chinese software, and targeting.
Silver Fox has been around for at least one year and some researchers believe it may be an APT masquerading as a cybercrime group.
Related: Hackers Abuse ConnectWise to Hide Malware
Related: SonicWall Warns of Trojanized NetExtender Stealing User Information
Related: Godfather Android Trojan Creates Sandbox on Infected Devices
Related: Microsoft Warns of Node.js Abuse for Malware Delivery
