Bogus software installers leveraged in novel Chinese malware attack

SecurityWeek reports that Chinese advanced persistent threat group Silver Fox has been using counterfeit installers for widely used software, such as WPS Office, DeepSeek, and Sogou, to facilitate compromise with Sainbox RAT, a variant of Gh0stRAT, and the Hidden rootkit.

Attacks involved the impersonation of popular software websites where the fake installers could be downloaded, according to a Netskope analysis. Execution of the installers triggers the 'Shine.exe' file that enables malicious DLL sideloading while running the legitimate installer to obscure illicit activity, said researchers, who noted the DLL payload to be Sainbox RAT. Aside from allowing additional payload retrieval and execution, Sainbox RAT also facilitates data theft and other malicious activities, including the execution of the Hidden rootkit. "The primary goal of the rootkit is to conceal items such as processes, files, and registry keys and values. It does so by using a mini-filter as well as kernel callbacks. It can also protect itself and specific processes, and contains a user interface that is accessed using IOCTL," researchers added.