A Wave of Chinese Cyberthreat Campaigns Use Old and New Malware
Proofpoint threat researchers are tracking a recent surge in Chinese cyberattacks aimed at Chinese-speaking targets around the globe and that use both older and new malware typically linked to cybercriminals from the country.
There have been more than 30 phishing campaigns this year that have used email-distributed malware mostly written in Chinese, though one campaign includes messages written in Japanese and targeting organizations in that country, the researchers wrote in a report released today.
It’s unclear what is behind the rise in the clusters of Chinese attacks, though “it is likely that this malware is more available to Chinese threat actors, either through actors directly or available for sale on forums,” Selena Larson, senior threat intelligence analyst at Proofpoint, told Security Boulevard.
“The campaigns have typically targeted Chinese-speaking employees at organizations around the world with likely operations in China,” Larson said. “The targeted users have Chinese-language names spelled with Chinese-language characters, or specific company email addresses that appear to align with businesses’ operations in China.”
The attacks appear to be carried out by a number of threat actors, though there is some commonality. They are financially motivated rather than state-sponsored and Proofpoint doesn’t “attribute all the Chinese-themed malware campaigns to the same threat actor, but some activity clusters do overlap, suggesting cybercriminal threat actors may be using the same infrastructure to deliver multiple malware families,” she said.
In With the Old
The malware being distributed is a combination of the old and the new, according to the cybersecurity firm. They include Sainbox – also known as FatalRAT – a variant of the widely used Gh0stRAT malware that targets Windows platforms. Proofpoint first identified Sainbox in 2020, though the malware not been seen in use for several years until this year, where it has been detected in almost 20 campaigns.
Gh0stRAT itself was first detected in 2008 and its source code is publicly available, leading to multiple variants being created by myriad threat actors. A “handful” of the Chinese language campaigns this year were seen delivering older Gh0stRAT variants, according to the researchers.
“Nearly all the observed Sainbox campaigns used invoice themed lures which spoofed Chinese office and invoicing companies,” they wrote. “The emails were typically sent from Outlook or other freemail email addresses and contained URLs, or Excel attachments containing URLs, that linked to a zipped executable that installed Sainbox.”
The emails including a URL linked to a zipped executable that, if clicked on, installed the Sainbox RAT (remote access trojan) that is associated with a command-and-control (C2) structure with variations of “fakaka” in the domain.
Most of the Sainbox campaigns ran between December 2022 and May, though one occurred in April 2022 and more such attacks happened last month.
Another legacy malware that re-emerged this year was Purple Fox, which has been around since at least 2018. There were at least three Chinese-language campaigns distributing Purple Fox, which typically has been delivered through the Purple Fox Exploit Kit or, more recently, through legitimate-looking application installers.
It also was used in Japanese-language invoice schemes targeting organizations in that country by delivering zipped LNK attachments.
Like Sainbox, Purple Fox in recently years has rarely been seen by Proofpoint researchers.
ValleyRAT Hits the Scene
New to the scene is the ValleyRAT malware, identified by Proofpoint in March though first reported on by Chinese cybersecurity firm Qi An Xin. Like the other campaigns, those involving ValleyRAT used invoices related to various Chinese businesses. The first of at least six campaigns contained a malicious URL that led to a zipped executable that downloaded the payload. Others were similar, with the URLs delivered via free mail systems like Outlook, Hotmail, and WeCom, though in at least one campaign the malware, written in C++, was distributed through a loaded written in Rust that the researchers are still investigating.
In addition, in May, one ValleyRAT campaign broke from the other ones, using resume-themed PDFs rather than invoice lures to deliver the malware.
“A blend of historic malware such as Sainbox … and the newly uncovered ValleyRAT may challenge the dominance that the Russian-speaking cybercrime market has on the threat landscape,” the researchers wrote. “However, the Chinese-themed malware is currently mostly targeted toward users that likely speak Chinese. Proofpoint continues to monitor for evidence of increasing adoption across other languages.”
What’s Ahead
What it means for the future is unclear.
“The increase in such activity suggests it is a trend that global cybercrime continues to be highly successful and lucrative,” Larson said. “This may indicate that Chinese speakers who conduct cybercrime operations may want to take a larger slice of the financial gains. While the activity we observed is unusual, it does suggest a longer-term trend of this type of malware targeting more organizations in the future. It is, at the very least, evidence that the fight against cybercrime continues globally.”
There likely will be a similar amount of activity from Chinese-themed malware and there is potential that future campaigns will include other languages.
“Frankly, I think it will depend on how successful the operations are,” she said. “If they start to funnel money in, I expect we’ll see the activity follow a similar model to other regions: scale up activity, expand operations. It is likely they will continue to use a mix of both older malware and the new ValleyRAT malware.”
