Netskope reports on Sainbox RAT and Hidden Rootkit
Netskope Threat Labs has reported a campaign exploiting counterfeit software installers to distribute the Sainbox remote access tool and a Hidden rootkit. This update is relevant for IT leaders focused on cybersecurity and phishing threat mitigation, especially concerning vulnerabilities among Chinese-speaking users.
Findings
The investigation into this campaign disclosed the use of forged installers that imitate well-known applications like Sogou and DeepSeek. The malware identified includes the Sainbox RAT along with a variant of the Gh0stRAT tool, and the attribution to the Silver Fox group was made with moderate confidence based on their methods and target audience.
Threat Activity
Infected downloads occur when users access fake installer files from phishing websites, such as a site mimicking the official Workload Placement Strategy (WPS) Office. The installers run legitimate applications while secretly loading a harmful DLL, compromising the user's system.
Analysis of the Memory Semantics Interconnect (MSI) files showed that they execute “Shine.exe” to load the malicious DLL, disguised as a trusted library. Additionally, these payloads include features to establish persistence and evade detection mechanisms.
Malware Operations
By deploying the Sainbox RAT, cybercriminals can gain substantial control over affected systems, allowing for further exploits including data exfiltration and deployment of additional malware. The Hidden rootkit increases stealth by concealing payload activities and obstructing security efforts.
Conclusion
This update highlights the continual exploitation of software popularity by cybercriminals for malicious purposes. Netskope Threat Labs will persist in monitoring the Silver Fox group's activities and strategy developments.
Attribution Considerations
Attributing actions to specific cyber threats can be complicated due to tactics aimed at obscuring true identities. Netskope adopts a three-tiered confidence rating system for attributions that relies on corroborative evidence and consistency in tactics.
Indicators of Compromise
Further information on the Indicators of Compromise (IOC) for this malware campaign is available in the Netskope GitHub repository. This summary reflects an objective overview of the original blog post detailing the Sainbox RAT and its related tactics.