Various industrial organizations in the Asia-Pacific region (APAC) were aimed at phishing attacks aimed at providing a well-known malware called Fatalrat.
“The threat was organized by the attackers using the legitimate Delivery of the cloud content of Chinese cloud (CDN) Myqcloud and Youda Cloud Hotes services as part of its attack infrastructure,” Casperson ICS CERT – Note In the report on Monday.
“The attackers used a complex multi -stage basis for a useful load to ensure evasion.”
Activities have nominated state bodies and industrial organizations, in particular production, construction, information technology, telecommunications, health care, energy and energy, as well as large -scale logistics and transport in Taiwan, Malaysia, China, Japan, Thailand, South Korea, Singapore, Philippines , Vietnam and Hong Kong.
The bait used in the email messages suggest that the phishing company is designed to follow Chinese people.
It is worth noting that Fatalrat companies have Previously used Bogus Google Ads as a distribution vector. In September 2023 documented Another phishing campaign by an e -mail that has spread various families of malware such as Fatalrat, GH0St Rat, Purple Fox and Valleyrat.
An interesting aspect of both sets of invasion is that they are primarily aimed at Chinese speech and Japanese organizations. Some of these activities were related to the threat of an actor who is tracked as Silver fox apt.
The starting point of the latest attack chain is a phishing list that contains an archive with a Chinese file name that launches the first stage forking when launching, which in turn the DLL file and the Fatalrat configurator.
For its part, the configurator module loads the contents of another note from Note.youdao (.) Com to access configuration information. It is also designed to open the bait file, trying to avoid raising suspicion.
Dll, on the other hand, -the loader of the second stage responsible for downloading and installing a useful load Fatalrat from the server (“Myqcloud (.) COM”) specified at the same time reflecting a fake error on the problem that works on the problem that is working on a problem that works on a problem problem with a problem that works on a problem that works on problem, about the problem. App.
An important distinctive feature of the company includes the use of DLL download methods to promote multi -stage infection sequence and download malicious Fatalrat software.
“The actor threats uses a black -white method when the actor uses the functionality of legal binary files to make a chain of events look like normal activity,” Kaspersky said. “The attackers also used the DLL download technique to hide the perseverance of malicious software in the legitimate process.”
“Fatalrat performs 17 checks for an indicator that the malicious software performs in the virtual machine or in the sandbox. If any checks can not, malicious software ceases to carry out.”
It also stops all copies of the Rundll32.exe process and collects information about the system and various security solutions set in it before waiting for further instructions from the team server and control (C2).
Fatalrat is Trojan, which is fallen on a feature that is equipped with keystock magazines (MBR), enable/turn off the screen, search and deletion of users in browsers such as Google Chrome and Internet Explorer, download additional software such as . Anydesk and Ultroviewer, Perfort File operations and run/stop proxy and stop arbitrary processes.
It is currently unknown who is behind the attacks using Fatalrat, although the tactical and appliances intersect with other companies, they believe that “all of them reflect different series of attacks that are somehow connected.” Caspersorski, with medium confidence, praised that this is the actor of the threat of Chinese.
“The Fatalrat functionality gives the attacker almost unlimited attacks to develop an attack: distributing the network, installing remote administration tools, manipulation of devices, theft and deleting sensitive information,” the researchers said.
“The constant use of services and interfaces in Chinese at different stages of the attack, as well as other indirect evidence, indicate that a Chinese actor can participate.”
