Netskope reports on Sainbox RAT and Hidden Rootkit
Netskope Threat Labs has identified a campaign that utilizes fake software installers to deploy the Sainbox remote access tool and Hidden rootkit. This update is pertinent for IT decision-makers concerned with cybersecurity threats, particularly those focused on protecting systems against sophisticated phishing attacks aimed at Chinese-speaking targets.
Findings
The investigation revealed the use of counterfeit installers mimicking popular applications such as Sogou and DeepSeek. The malware traits include the Sainbox RAT and a version of the Gh0stRAT tool, paired with a hidden rootkit. Attribution has been made with medium confidence to the Silver Fox group due to observed tactics and targeted demographics.
Threat Activity
Infection occurs when a user downloads a fake installer from a phishing site. The example used was a page designed to look like the official Workload Placement Strategy (WPS) Office site. The installer executes legitimate software while loading a malicious DLL to compromise the user's system.
The analyzed Memory Semantics Interconnect (MSI) files demonstrated consistent behavior by executing “Shine.exe” to side-load the malicious DLL, which masquerades as a legitimate library. Moreover, the payloads include mechanisms for persistence and concealment to avoid detection.
Malware Operations
Through the execution of the Sainbox RAT, attackers gain extensive control over compromised systems. This allows further exploitation, including data theft and additional malware deployment. The Hidden rootkit enhances stealth by obfuscating payloads and interfering with security measures.
Conclusion
This update exemplifies ongoing tactics by cybercriminals to exploit software popularity for malicious outcomes. Netskope Threat Labs continues to monitor the activities of the Silver Fox group and the evolution of their strategies.
Attribution Considerations
Attribution to specific threat actors can be complex due to techniques aimed at masking true identities. Netskope employs a three-tiered confidence system for attributions based on corroborating evidence and tactical consistency.
Indicators of Compromise
Details concerning the Indicators of Compromise (IOC) from this malware campaign can be accessed in the Netskope GitHub repository. This blog signals a fact-based summary of the original post concerning the Sainbox RAT and its associated tactics.