Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape

Cyber Security Threat Summary:
Proofpoint has observed an increase in activity from specific malware families targeting Chinese-language speakers. Campaigns include Chinese-language lures and malware typically associated with Chinese cybercrime activity. Newly observed ValleyRAT is emerging as a new malware among Chinese-themed cybercrime activity, while Sainbox RAT and related variants are recently active as well” (Proofpoint, 2023).

Proofpoint says the increase in Chinese language malware indicates an expansion of the Chinese malware ecosystem. There may be increased access to payloads and target lists, or simply more activity by Chinese speaking cybercrime operators. Notable upticks include, more attempted delivery of the Sainbox Remote Access Trojan (a variant of the more common Gh0stRAT), but also a newly identified malware called ValleyRAT. ValleyRAT has been around for years, but was never found in Proofpoint's threat data. Over the past six months it has been appearing in multiple campaigns.

Security Officer Comments:
Proofpoint says the threat actors leveraging these pieces of malware have shown flexibility in their deliver methods, using both “simple and moderately complex techniques”. Most commonly, these phishing emails leverage URL links that lead to compressed executables, which are then used to install the malware. In some Sainbox RAT and ValleyRAT campaigns, the malware was delivered via Excel and PDF attachments that contained URLs linking to the compressed executables.

“Proofpoint researchers assess those multiple campaigns delivering Sainbox RAT and ValleyRAT contain some similar tactics, techniques, and procedures (TTPs). However, research into additional activity clusters utilizing these malwares demonstrate enough variety in infrastructure, sender domains, email content, targeting, and payloads that researchers currently conclude that all use of these malwares and associated campaigns are not attributable to the same cluster, but likely multiple distinct activity sets” (Proofpoint, 2023).

Proofpoint says the uptick in Chinese-themed malware could “challenge the dominance” of the Russian-speaking cybercrime market. Proofpoint says the Chinese-themed malware has mostly targeted other Chinese speaking victims, but they will continue to monitor it’s adoption across other languages.

In 2023, Proofpoint says it has observed over 30 campaigns leveraging malware associated with Chinese cybercrime. Nearly all the lures were seen targeting Japanese organizations. Notably, there has been a usage increase in Sainbox, a variant of Gh0stRAT. There were 20 distinct campaigns using Sainbox, after being completely absent from the email threat landscape over the past few years.

Gh0stRAT was first discovered in 2008, but has been modified heavily over the years by multiple authors and threat actors. This notable Sainbox variant was being used in invoiced themed phishing attacks that spoofed Chinese office and invoicing companies. The emails were typically send via Outlook or other freemail email addresses. The lures contained malicious URLs, or Excel attachments that contained the URLs. These linked to a zipped executable that installed Sainbox. The majority of Sainbox RAT campaigns occurred between December 2022 and May 2023.

Another piece of malware called Purple Fox has been seen since 2018. This exploit kit is typically delivered by masquerading as legitimate application installers. Proofpoint identified at least three campaigns delivering Purple Fox. “Notably, one observed campaign used Japanese language invoice themes targeting organizations in Japan to deliver zipped LNK attachments that led to the installation of Purple Fox, while others used Chinese language invoice themed messages with URLs leading to Purple Fox” (Proofpoint, 2023).

Starting in March of this year, Proofpoint identified a new piece of malware they call ValleyRAT. These campaigns targeted Chinese businesses and used various invoice themed lures. Similar to the other campaigns, the phishing emails contained a URL that led to a zipped executable that downloads ValleyRAT. Outlook, hotmail, and WeCom email services were used to deliver the phishing emails. “However, in at least one campaign, the RAT was delivered via a Rust language-based loader still currently under investigation. The loader additionally downloaded a legitimate tool, EasyConnect in addition to a trojanized DLL that the tool would load and execute via DLL search order high jacking. EasyConnect is an SSL VPN appliance that enables remote access and management of Windows hosts” (Proofpoint, 2023).

Proofpoint says that while many of the campaigns they observed leverage invoice themed lures, there was an outlier campaign in May that used a resume-themed PDF containing a URL that if clicked downloaded a remote zipped payload to install ValleyRAT.

Suggested Correction(s):
Proofpoint concludes with some interesting observations. The company is surprised to still see Gh0stRAT getting updates after bring exploited for nearly a decade. They pose the question, “Is it easier to detect older malware due to it’s age and impact?” Proofpoint say this is not necessarily true, as older malware can still be effective, especially as threat actors rotate IP addresses, domains, encoding, obfuscation, and other pieces of infrastructure. They caution that while these malware families are not new, organizations can not afford to underestimate the risk they post.

“Proofpoint research suggests that this activity does not seem to be related to a single entity but rather appears to be a cluster of activities based on temporal patterns. The appearance of ValleyRAT alongside the older families hints at the possibility of their relation in terms of timing. Proofpoint anticipates ValleyRAT will be used more frequently in the future” (Proofpoint, 2023).

These campaigns rely on phishing and social engineering, so best practices related to these tactics should be followed:

  • Do not open emails or download software from untrusted sources
  • Do not click on links or attachments in emails that come from unknown senders
  • Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
  • Always verify the email sender's email address, name, and domain
  • Backup important files frequently and store them separately from the main system
  • Protect devices using antivirus, anti-spam and anti-spyware software
  • Report phishing emails to the appropriate security or I.T. staff immediately