Various industrial organizations in the Asia-Pacific (APAC) region have been targeted as part of phishing attacks designed to deliver a known malware called FatalRAT.
“The threat was orchestrated by attackers using legitimate Chinese cloud content delivery network (CDN) myqcloud and the Youdao Cloud Notes service as part of their attack infrastructure,” Kaspersky ICS CERT said in a Monday report.
“The attackers employed a sophisticated multi-stage payload delivery framework to ensure evasion of detection.”
The activity has singled out government agencies and industrial organizations, particularly manufacturing, construction, information technology, telecommunications, healthcare, power and energy, and large-scale logistics and transportation, in Taiwan, Malaysia, China, Japan, Thailand, South Korea, Singapore, the Philippines, Vietnam, and Hong Kong.
The lure attachments used in the email messages suggest that the phishing campaign is designed to go after Chinese-speaking individuals.
It’s worth noting that FatalRAT campaigns have previously leveraged bogus Google Ads as a distribution vector. In September 2023, Proofpoint documented another email phishing campaign that propagated various malware families such as FatalRAT, Gh0st RAT, Purple Fox, and ValleyRAT.
An interesting aspect of both intrusion sets is that they have primarily targeted Chinese-language speakers and Japanese organizations. Some of these activities have been attributed to a threat actor tracked as Silver Fox APT.
The starting point of the latest attack chain is a phishing email containing a ZIP archive with a Chinese-language filename, which, when launched, launches the first-stage loader that, in turn, makes a request to Youdao Cloud Notes in order to retrieve a DLL file and a FatalRAT configurator.
For its part, the configurator module downloads the contents of another note from note.youdao[.]com so as to access the configuration information. It’s also engineered to open a decoy file in an effort to avoid raising suspicion.
The DLL, on the other hand, is a second-stage loader that’s responsible for downloading and installing the FatalRAT payload from a server (“myqcloud[.]com”) specified in the configuration, while displaying a fake error message about a problem running the application.
An important hallmark of the campaign includes the use of DLL side-loading techniques to advance the multi-stage infection sequence and load the FatalRAT malware.
“The threat actor uses a black and white method where the actor leverages the functionality of legitimate binaries to make the chain of events look like normal activity,” Kaspersky said. “The attackers also used a DLL side-loading technique to hide the persistence of the malware in legitimate process memory.”
“FatalRAT performs 17 checks for an indicator that the malware executes in a virtual machine or sandbox environment. If any of the checks fail, the malware stops executing.”
It also terminates all instances of the rundll32.exe process, and gathers information about the system and the various security solutions installed in it, before awaiting further instructions from a command-and-control (C2) server.
FatalRAT is a feature-packed trojan that’s equipped to log keystrokes, corrupt Master Boot Record (MBR), turn on/off screen, search and delete user data in browsers like Google Chrome and Internet Explorer, download additional software like AnyDesk and UltraViewer, perform file operations, and start/stop a proxy, and terminate arbitrary processes.
It’s currently not known who is behind the attacks using FatalRAT, although the tactical and instrumentation overlaps with other campaigns suggest that “they all reflect different series of attacks that are somehow related.” Kaspersky has assessed with medium confidence that a Chinese-speaking threat actor is behind it.
“FatalRAT’s functionality gives an attacker almost unlimited possibilities for developing an attack: spreading over a network, installing remote administration tools, manipulating devices, stealing, and deleting confidential information,” the researchers said.
“The consistent use of services and interfaces in Chinese at various stages of the attack, as well as other indirect evidence, indicates that a Chinese-speaking actor may be involved.”
