Cybersecurity researchers warn of a new phishing campaign aimed at Taiwan with family malware such as HoldingHands Rat and GH0Stcringe.
Activities is part of a wider company that delivered Winos 4.0 Frames Malicious Programs in early January in Sending Phisching Messages By betraying the National Taxation Bureau of Taiwan, the Fortinet Fortinet Lab – Note In a report that shared with Hacker News.
Cybersecurity company said it had discovered additional samples of malicious programs through permanent monitoring, and that she watched the same actor threats called Silver Fox APT, using PDF documents located on malicious programs, or postal files distributed through phisching to deliver GH0Stcrige Rats Holdinghands.
It is worth noting that both Holdinghands Rat (he’s gh0stbins) and Gh0stcringe are variants of the famous Trojan remote access called GH0St Rat, which is widely used by Chinese hacking groups.
The starting point of the attack is a phishing email masking as a government’s or business partners that use taxes, accounts and pensions to convince the recipients in the opening of the attachment. Alternative attack chains have been found to use a built -in image that loads malicious software when pressed.
PDF files, in turn, contain a link that redirects the promising goals to the download page that places the ZIP archive. The file contains several legitimate executable files, shellcode loaders and encrypted Shellcode.
A multi -stage infection sequence entails the use of shellcode forklifts to decrypt and perform Shellcode, which is nothing but DLL files, downloaded by legitimate binary files using DLL download methods. Intermediate loads, deployed under the attack, include anti-VM and escalation of privileges to ensure that malicious software works freely on the compromised host.
The attack is completed by the execution of “msgdb.dat”, which implements team and control features (C2) to collect user information and download additional modules to facilitate file control and the ability to remove desktop.
Fortinet said he also found that the actor threats that distribute GH0Stcringe by PDF attachments in phishing emails to users to document HTM pages.
“Network of the attacks consists of numerous Shellcode fragments and loaders, making the Attack Flow Complex,” the company said. “In various winds, holdings and GH0Stcringe, this group of threats constantly develop their strategies for malware and distribution.”
