- Chinese users are targeted by malware campaigns using spoofed download sites and SEO poisoning
- Kkrat has advanced capabilities including clipboard hijacking, remote monitoring and antivirus evasion
- Attackers utilized github -s sites to host phishing -websites
Chinese users who want to download popular browsers and communication software are targeted by various malware variants, giving attackers remote access features. This is, according to several cybersecurity organizations, including Fortinet Fortiguard Labs and Zscaler Threatlabz.
The former discovered an SEO poisoning campaign to deliver two remote access trojans (rat) – HiddenGh0st and Winos – both variants of the notorious GH0ST steering wheel.
In the campaign, the threat actors created counterfeit download sites for programs such as Deepl Translate, Google Chrome, Signal, Telegram, WhatsApp and WPS office on typosquatted domains.
Steal crypto and disable of
They then manipulated search singers using different SEO plugins to trick people searching for these programs to visit the wrong sites. The download apparently implements the desired program, but the installation program is Trojanized, which also serves one of the above -mentioned Trojans.
At the same time, researchers from Zscaler observed a former unknown Trojan, called Kkrat, who was conveyed. This campaign started in May this year and also includes Winos and Fatalrat.
Kkrat’s code is similar to the Gh0st Rat and Big Bad Wolf, Zscaler explained: “Kkrat uses a network communication protocol similar to Ghost Rat, with an extra encryption layer after data compression. Sun login, gotohtp). ” “.”
It is also able to kill antivirus software before it drives any malicious activity to better hide its presence. Among the AV solution, which is targeted by Trojan, is 360 Internet Security Suite, 360 Total Security, Herobravo System Diagnostics Suite and others.
Unlike Fortinet’s discovery, the phishing places of this campaign hosted the Github pages and leans into the confidence that the platform enjoys with its community to distribute the Trojans. The GitHub account used in this campaign has since been completed.
Via Hacker the news
