Malware - Silver Fox Exploits Stolen EV Certificates
Basically, a hacker group is tricking people into downloading malware by pretending to be trusted software.
Silver Fox, a Chinese APT group, exploits stolen EV certificates in a new malware campaign. Targeting Chinese-speaking users, this sophisticated attack poses serious risks. Security teams must stay vigilant against these evolving threats.
What Happened
The Chinese-nexus advanced persistent threat (APT) group known as Silver Fox, also referred to as Void Arachne and SwimSnake, has launched a sophisticated malware campaign utilizing the AtlasCross RAT. Security researcher Maurice Fielenbach from Hexastrike uncovered that this group is specifically targeting Chinese-speaking users and professionals. They are using stolen Extended Validation (EV) code-signing certificates to create a deceptive environment that allows them to bypass automated security checks.
The attackers have set up an extensive infrastructure, including typosquatted domains that impersonate trusted software brands like Surfshark, Signal, and Zoom. When victims attempt to download these seemingly legitimate applications, they receive a ZIP archive containing a trojanized installer. This installer is designed to look like a genuine software package, but it actually drops malicious payloads onto the victim's system.
Who's Being Targeted
The primary targets of this campaign are Chinese-speaking users and professionals who might rely on these software applications for communication and security. The use of typosquatted domains suggests that the attackers are attempting to exploit the trust users place in well-known brands. This tactic increases the likelihood that victims will unwittingly download the malware, believing they are getting legitimate software.
By leveraging stolen EV certificates, the attackers can create a false sense of security. Users may not suspect anything amiss when they see a valid signature on the software they are downloading. This makes the campaign particularly dangerous, as it can lead to widespread infection across enterprise networks.
Signs of Infection
Once the trojanized installer is executed, it employs a range of techniques to evade detection. The malware uses a triple-nested Setup Factory installer to conceal its true nature. It then dynamically resolves application programming interfaces (APIs) and extracts an embedded configuration for the AtlasCross RAT. This process is designed to avoid static analysis by security tools.
The AtlasCross RAT itself is equipped with a custom native PowerShell execution engine called PowerChell. This allows the malware to execute scripts without triggering standard security measures. Notably, it disables critical defenses such as the Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW), making it difficult for security solutions to detect its activity. Users may notice unusual network activity or performance issues, which could indicate an infection.
How to Protect Yourself
To defend against this sophisticated malware campaign, organizations should implement several proactive measures. First, security teams should monitor for indicators of compromise (IOCs) related to the Silver Fox campaign, including the use of the stolen EV certificate and associated C2 domains. Regular audits of software installations and network traffic can help identify unauthorized applications and suspicious behavior.
Additionally, users should be educated on the risks of downloading software from unofficial sources. Encouraging employees to verify the authenticity of software before installation can mitigate the risk of falling victim to such attacks. Finally, maintaining up-to-date security solutions and patching vulnerabilities can help fortify defenses against malware like AtlasCross RAT.
Cyber Security News