Cybersecurity researchers are warning of a new phishing campaign that’s targeting users in Taiwan with malware families such as HoldingHands RAT and Gh0stCringe.
The activity is part of a broader campaign that delivered the Winos 4.0 malware framework earlier this January by sending phishing messages impersonating Taiwan’s National Taxation Bureau, Fortinet FortiGuard Labs said in a report shared with The Hacker News.
The cybersecurity company said it identified additional malware samples through continuous monitoring and that it observed the same threat actor, referred to as Silver Fox APT, using malware-laced PDF documents or ZIP files distributed via phishing emails to deliver Gh0stCringe and a malware strain based on HoldingHands RAT.
It’s worth noting that both HoldingHands RAT (aka Gh0stBins) and Gh0stCringe are variants of a known remote access trojan called Gh0st RAT, which is widely used by Chinese hacking groups.
The starting point of the attack is a phishing email that masquerades as messages from the government or business partners, employing lures related to taxes, invoices, and pensions to persuade recipients into opening the attachment. Alternate attack chains have been found to leverage an embedded image that, when clicked, downloads the malware.
The PDF files, in turn, contain a link that redirects prospective targets to a download page hosting a ZIP archive. Present within the file are several legitimate executables, shellcode loaders, and encrypted shellcode.
The multi-stage infection sequence entails the use of the shellcode loader to decrypt and execute the shellcode, which is nothing but DLL files sideloaded by the legitimate binaries using DLL side-loading techniques. Intermediate payloads deployed as part of the attack incorporate anti-VM and privilege escalation so as to ensure that the malware runs unimpeded on the compromised host.
The attack culminates with the execution of “msgDb.dat,” which implements command-and-control (C2) functions to collect user information and download additional modules to facilitate file management and remote desktop capabilities.
Fortinet said it also discovered the threat actor propagating Gh0stCringe via PDF attachments in phishing emails that take users to document download HTM pages.
“The attack chain comprises numerous snippets of shellcode and loaders, making the attack flow complex,” the company said. “Across winos, HoldingHands, and Gh0stCringe, this threat group continuously evolves its malware and distribution strategies.”
