- Chinese users are targeted by malware campaigns using usurped download and SEO poisoning sites
- KKRAT offers advanced capacities, including diversion of clipboard, remote surveillance and antivirus escape
- The attackers exploited the Github pages to host phishing sites
Chinese users seeking to download popular browsers and communication software are targeted by different variants of malware, granting attackers of remote access capacities. This is according to several cybersecurity organizations, notably Fortinet Fortiguard Labs, and Zscaler Threatlabz.
The first discovered a referencing poisoning campaign to deliver two remote Trojan horses (RAT) – Hiddengh0st and Winos – The two variants of the infamous GH0ST rat.
In the campaign, threat actors have created usurped download pages for programs such as Deepl Translate, Google Chrome, Signal, Telegram, Whatsapp and WPS Office, in typosquatated areas.
Fly the crypto and deactivate av
They then handled the search rankings using different SEO plugins to encourage people looking for these programs to visit bad sites. The download apparently deploys the program sought, but the installer is trojanized, also serving one of the aforementioned Trojan horses.
At the same time, researchers from Zscal have observed a Troja before unknown, called Kkrat, broadcast. This campaign started in May this year and also includes Winos and Fatalrat.
KKRAT’s code is similar to that of GH0ST RAT and BIG BAD WOLF, ZSCALER explained: “KKRAT uses a network communication protocol similar to GHOST RAT, with an additional encryption layer after data compression. Rat features include manipulation in the clipboard, Gotohttp). “
He is also able to kill antivirus software before performing a malicious activity, to better hide his presence. Among the AV solutions targeted by the Troy are 360 Internet Security Suite, 360 Total Security, Herobravo System Diagnostics Suite and others.
Unlike the discovery of Fortinet, in this campaign, phishing sites are hosted on the Github pages, leaning in the confidence that the platform enjoys with its community to distribute the horses of Troy. The Github account used in this campaign has since been terminated.
Via The Hacker News
