Since the beginning of 2023, an increase in suspected Chinese cybercrime activities involving malware being distributed via email has been observed.
Among other things, the Sainbox Remote Access Trojan (RAT) was used - a variant of the commodity Trojan Gh0stRAT. The newly identified ValleyRAT malware was also distributed as part of the activity. The campaigns observed were generally small in scope and mostly addressed global companies with branches in China. Email subject lines and content were commonly written in Chinese and were related to invoices, payments, and new products. The users targeted by the perpetrators mostly have Chinese names written with appropriate Chinese characters or used specific corporate email addresses that appear to be related to business activities in China. Most campaigns targeted Chinese-speaking users. The fact that cybercriminals are also targeting Japanese companies indicates that their activities are expanding.
Recently identified activities demonstrated flexible dissemination methods, using both simple and moderately complex techniques. Most of the emails contained URLs that pointed to compressed executable files. The malware should be installed using these executable files. However, Proofpoint has also observed that Sainbox RAT and ValleyRAT are distributed via Excel and PDF attachments, which in turn contain URLs to compressed executable files.
New trend in the threat landscape
Proofpoint experts believe that there is overlap in tactics, techniques and procedures (TTPs) between different Sainbox RAT and ValleyRAT distribution campaigns. Examination of additional clusters of activity involving these types of malware indicates a diversity of infrastructure, sender domains, email content, destinations, and payloads. Therefore, the experts conclude that the use of the malware variants and the associated campaigns are not due to one and the same cluster, but probably to several different groups.
The fact that new Chinese malware is now increasingly appearing and at the same time the spread of older Chinese malware variants is increasing indicates a new trend in the threat landscape. The mix of historic malware like Sainbox - a variant of the older Gh0stRAT malware - and newly discovered types like ValleyRAT could break Russia's dominance in the cybercrime environment. However, Chinese malware currently primarily targets users who speak Chinese. The analysis now carried out by Proofpoint provides security managers with several indicators to detect compromises and identify new threats.
Gh0stRAT / Sainbox
The Proofpoint experts were able to observe the increasing spread of a Gh0stRAT variant. This is called Sainbox by Proofpoint. Sainbox was first identified by Proofpoint in 2020 and is sometimes referred to as FatalRAT by other security researchers. Since April 2023, Proofpoint has identified nearly 20 campaigns using Sainbox, after years of its complete disappearance from the email threat landscape.
Gh0stRAT is a remote access Trojan that was first observed in 2008. The builder for this RAT is available online and the source code is also publicly available. Over the years, Gh0stRAT has been modified in various variations by several authors and cybercrime groups. This also includes branched variants such as Sainbox. In 2023, Proofpoint also observed a handful of Chinese-language campaigns distributing older Gh0stRAT variants.
Almost all Sainbox campaigns observed used the topic of invoices as bait. The emails were typically sent from Outlook or Freemail email addresses and contained URLs or Excel attachments with URLs pointing to a zipped executable file that would be used to install Sainbox.
For example, on May 17, 2023, Proofpoint observed a campaign targeting dozens of companies, most of which were in the manufacturing and technology sectors. Most Sainbox RAT campaigns took place between December 2022 and May 2023. A retrospective analysis of the campaigns also uncovered another campaign in the Proofpoint data that used similar TTPs in April 2022. Currently, Proofpoint can identify additional campaigns associated with this activity cluster.
Purple Fox
The Purple Fox malware component has been available since at least 2018. It is distributed through various means, including in the past through the Purple Fox Exploit Kit. In recent years, there have also been examples of Purple Fox malware being distributed disguising itself as a legitimate application installer. Proofpoint has identified at least three campaigns that distributed Purple Fox. One of the campaigns observed used the bill theme to attack organizations in Japan in Japanese. This sent zipped LNK attachments intended to install Purple Fox, while other campaigns used the invoice theme in Chinese invoice themes with URLs leading to Purple Fox.
Proofpoint cannot currently attribute all Chinese malware campaigns to the same cybercrime group, but some clusters of activity overlap. This suggests that some groups are using the same infrastructure to distribute multiple malware families.
ValleyRAT
Additionally, in March 2023, Proofpoint identified a new malware that security researchers dubbed ValleyRAT. The campaigns that distributed this malware were in Chinese. Following the trend of other Chinese malware campaigns, the perpetrators also resorted to the topic of invoices relating to various Chinese companies. This year, Proofpoint has observed at least six campaigns spreading ValleyRAT malware.
The experts were able to observe the first campaign on March 21, 2023. The emails sent included a URL that led to a zipped executable file intended to download the ValleyRAT payload. Subsequent campaigns resorted to TTPs, including the use of freemail providers such as Outlook, Hotmail and WeCom. This was intended to distribute URLs that led to the installation of ValleyRAT. However, in at least one campaign, the RAT was distributed using a loader based on the Rust programming language, which is currently being further investigated. The loader also downloaded a legitimate tool, EasyConnect, as well as a Trojanized DLL, which loaded and executed the tool using the DLL search order (high jacking). EasyConnect is an SSL VPN application that enables remote access and management of Windows hosts. Subsequent campaigns in June 2023 also made use of these TTPs.
While most campaigns used billing topics as bait, Proofpoint observed an “outlier.” On May 24, 2023, PDFs of resumes were sent containing URLs to download a zipped payload in order to install ValleyRAT. Analysis of the newly discovered ValleyRAT suggests that a group may be behind the new Malware campaigns as well as the re-emergence of the older malware variants Purple Fox and Sainbox.
More at Proofpoint.com
About Proofpoint Proofpoint, Inc. is a leading cybersecurity company. The focus for Proofpoint is the protection of employees. Because these mean the greatest capital for a company, but also the greatest risk. With an integrated suite of cloud-based cybersecurity solutions, Proofpoint helps organizations around the world stop targeted threats, protect their data, and educate enterprise IT users about the risks of cyberattacks.