- Chinese users are being attacked by malware campaigns using false discharge sites and SEO poisoning
- KKRAT presents advanced capabilities that include clipboard kidnapping, remote monitoring and antivirus evasion
- The attackers exploded the Github pages to organize phishing sites
Chinese users seek to download popular browsers and communications software are being attacked by different malware variants, giving attackers remote access capabilities. This is in accordance with multiple cybersecurity organizations, including Fortinet Fortiguard Labs and Zscaler Agraniclabz.
The first discovered a SEO poisoning campaign to deliver two remote access Trojans (rat) – Hiddengh0st, and Winos, both variants of the infamous GH0ST rat.
In the campaign, the threat actors created falsified download pages for programs such as DEEPL Translate, Google Chrome, Signal, Telegram, WhatsApp and WPS Office, in typographic domains.
Steal cryptography and disable ava
Then they manipulated the search classifications using different SEO accessories to deceive people looking for these programs to visit the wrong sites. The discharge apparently implements the Wanthed program, but the installer is Trojan, and also serves one of the Trojans mentioned above.
At the same time, Zscaler researchers observed a previously unknown Trojan, called Kkrat, being disseminated. This campaign began in May of this year and also includes Winos and Fatalrat.
kkrat’s code is similar to that of gh0st rat and big bad wolf, zscaler explained: “Kkrat employoS to network communication similar protocol to ghost rat, with an added enfed enclos Cryptocurrency Addresses and the Deployment of Remote Monitoring Tools (IE Sunlogin, Gotohttp). “
He is also able to kill antivirus software before executing any malicious activity, to better hide its presence. Among the AV solutions directed by the Troy are 360 Internet Security Suite, 360 Total Security, Herobravo System Diagnostics Suite and others.
Unlike Fortinet’s discovery, in this campaign, Phishing sites lodge on Github’s pages, falling into the confidence that the platform enjoys with their community to distribute to the Trojans. The github account used in this campaign has been completed since then.
Through The hacker news
