Backdoored Executables for Signal, Line, and Gmail Target Chinese-Speaking Users
Summary:
Hunt[.]io has published an analysis of a threat actor campaign targeting users attempting to download messaging apps including Signal, Line, and Gmail. Signal, Line, and Gmail are popular apps that users often discover and download via search engines, making them attractive targets for SEO poisoning by cybercriminals to distribute malware. By mimicking legitimate download pages of software, users are delivered backdoored executables for Signal, Line, and Gmail. Unlike typical phishing attacks that mimic legitimate websites, this campaign utilizes seemingly unrelated domains. The campaign does appear to target specific regions inhabited by Chinese-speaking individuals, as evidenced by the Chinese-language prompts and the redirection to the legitimate BitBrowser website when attempting to switch to English. All malicious domains are hosted on a single Alibaba server in Hong Kong, indicating a centralized infrastructure.
The fake pages in this campaign deliver ZIP files containing malicious Windows executables. Upon execution, these files exhibit infostealer-like behavior, including process injection, communication with a suspected C2 server. It also disables Windows Defender. The malware's behavior aligns with an infostealer potentially identified as "MicroClip" by Joe Sandbox. This suggests the campaign aims to steal sensitive data.
Security Officer Comments:
This campaign highlights the dangers of phishing page initial access vectors that utilize search engine manipulation to increase traffic. The attack chain begins this way because the likely objective of these intrusions is not to spearphish targets, but to increase the volume of traffic and therefore increase the campaign’s success rate. The use of a single server for hosting malicious domains and a separate command-and-control server points to a well-organized operation that could be well-resourced. The malware's sophisticated execution pattern, including process injection and security modification, further underscores the attacker's technical capabilities. By employing appropriate security measures and remaining informed about emerging threats, users and organizations can better protect themselves against such attacks.
Suggested Corrections:
IOCs are available here.
https://hunt.io/blog/backdoored-executables-for-signal-line-gmail-target-chinese-users
https://securityonline.info/search-engine-manipulation-leads-to-backdoored-app-downloads/
Hunt[.]io has published an analysis of a threat actor campaign targeting users attempting to download messaging apps including Signal, Line, and Gmail. Signal, Line, and Gmail are popular apps that users often discover and download via search engines, making them attractive targets for SEO poisoning by cybercriminals to distribute malware. By mimicking legitimate download pages of software, users are delivered backdoored executables for Signal, Line, and Gmail. Unlike typical phishing attacks that mimic legitimate websites, this campaign utilizes seemingly unrelated domains. The campaign does appear to target specific regions inhabited by Chinese-speaking individuals, as evidenced by the Chinese-language prompts and the redirection to the legitimate BitBrowser website when attempting to switch to English. All malicious domains are hosted on a single Alibaba server in Hong Kong, indicating a centralized infrastructure.
The fake pages in this campaign deliver ZIP files containing malicious Windows executables. Upon execution, these files exhibit infostealer-like behavior, including process injection, communication with a suspected C2 server. It also disables Windows Defender. The malware's behavior aligns with an infostealer potentially identified as "MicroClip" by Joe Sandbox. This suggests the campaign aims to steal sensitive data.
Security Officer Comments:
This campaign highlights the dangers of phishing page initial access vectors that utilize search engine manipulation to increase traffic. The attack chain begins this way because the likely objective of these intrusions is not to spearphish targets, but to increase the volume of traffic and therefore increase the campaign’s success rate. The use of a single server for hosting malicious domains and a separate command-and-control server points to a well-organized operation that could be well-resourced. The malware's sophisticated execution pattern, including process injection and security modification, further underscores the attacker's technical capabilities. By employing appropriate security measures and remaining informed about emerging threats, users and organizations can better protect themselves against such attacks.
Suggested Corrections:
IOCs are available here.
- User Awareness: Users should exercise extreme caution when downloading software from unofficial sources. Always verify the legitimacy of websites and download links before proceeding. The domains in this campaign do not attempt to mimic official URLs and are an intuitive indicator of malicious activity.
- Utilize Security Software: Employ robust security software with real-time scanning capabilities to detect and prevent malware infections. Block known malicious sites and establish rigorous web filtering procedures.
- Network Monitoring: Defenders should monitor for suspicious network connections, particularly those originating from user endpoints and communicating with unknown or suspicious IP addresses.
https://hunt.io/blog/backdoored-executables-for-signal-line-gmail-target-chinese-users
https://securityonline.info/search-engine-manipulation-leads-to-backdoored-app-downloads/