As part of phishing attacks designed to deliver a well-known malware called FatalRAT, a number of industrial organizations in the Asia-Pacific ( APAC ) region have been targeted.
In a report released on Monday, Kaspersky ICS CERT stated that the threat was being orchestrated by adversaries using the genuine Chinese cloud content delivery system ( CDN) myqcloud and the Youdao Cloud Notes services as part of their attack infrastructure.
To prevent detection evasion, the attackers used a superior multi-stage cargo delivery framework.
The exercise has singled out federal agencies and professional organizations, especially manufacturing, construction, information tech, telecommunications, care, power and energy, and large-scale logistics and transportation, in Taiwan, Malaysia, China, Japan, Thailand, South Korea, Singapore, the Philippines, Vietnam, and Hong Kong.
The phishing plan is intended to target Chinese-speaking folks, according to the lure attachments used in the internet messages.
It’s important to point out that activities have recently used fake Google Ads as a distribution channel. In September 2023, Proofpoint another email phishing campaign that propagated numerous malicious people such as , Gh0st Mouse, Purple Fox, and ValleyRAT.
Both intrusion sets have a fascinating feature: they mostly target Chinese-language speakers and Chinese organizations. A danger professional identified as has been responsible for some of these behaviors.
The starting point of the latest attack ring is a phishing email containing a ZIP archives with a Chinese-language files, which, when launched, launches the first-stage load that, in turn, makes a request to Youdao Cloud Notes in order to get a DLL file and a FatalRAT configurator.
The configurator module, for its part, downloads another note’s contents from note. youdao [. ] com so as to access the configuration information. In an effort to avoid making suspicion, it’s also engineered to open a decoy file.
On the other hand, the DLL is a second-stage loader that is tasked with getting the FatalRAT payload from a server ( “myqcloud [.]] ] ] ] ] ) and then installing it. com” ) specified in the configuration, while displaying a fake error message about a problem running the application.
The use of DLL side-loading techniques to advance the multi-stage infection sequence and load the FatalRAT malware is a key feature of the campaign.
The threat actor employs a “black and white” approach, using legitimate binaries ‘ functionality to create the chain of events appear to be regular activity, according to Kaspersky. ” The attackers also employed a DLL side-loading technique to conceal the malware’s persistent presence in legitimate process memory.”
” FatalRAT runs 17 checks to determine whether malware runs on a virtual machine or sandbox. If any of the checks fail, the malware stops executing”.
Additionally, it ends every rundll32 instance. exe process, and gathers information about the system and the various security solutions installed in it, before awaiting further instructions from a command-and-control ( C2 ) server.
FatalRAT is a feature-packed trojan that’s equipped to log keystrokes, corrupt Master Boot Record ( MBR ), turn on/off screen, search and delete user data in browsers like Google Chrome and Internet Explorer, download additional software like AnyDesk and UltraViewer, perform file operations, and start/stop a proxy, and terminate arbitrary processes.
Although the tactical and instrumentation overlaps with other campaigns suggest that” they all reflect different series of attacks that are somehow related,” it is not known who is behind the attacks using FatalRAT. A Chinese-speaking threat actor is the subject of the analysis that Kappersky has done with some caution.
” FatalRAT’s functionality gives an attacker almost unlimited possibilities for developing an attack: spreading over a network, installing remote administration tools, manipulating devices, stealing, and deleting confidential information”, the researchers said.
” The consistent use of services and interfaces in Chinese at various stages of the attack, as well as other indirect evidence, indicates that a Chinese-speaking actor may be involved”.