China firms targeted by mystery malware gangs


Chinese businesses on the mainland are being targeted by threat actors, many of them using new strains of malware, according to Proofpoint. The cybersecurity analyst says it has spotted around 30 such campaigns in China this year.

The campaigns involve Chinese companies being spoofed by bad actors, who use phishing or social engineering emails to lure unwary employees into installing malicious software programs.

ADVERTISEMENT

Among these is a new tool in the cybercriminal arsenal, which Proofpoint spotted for the first time in March and has dubbed ValleyRAT. The last three letters stand for “remote access trojan,” a ubiquitous tool used by malicious hackers to hijack target computers from afar.

“The campaigns distributing this malware were conducted in Chinese, and, following the trend of other Chinese malware campaigns, the majority used invoice themes related to various Chinese businesses,” it said, adding that it had tracked half a dozen campaigns using ValleyRAT.

A plague of RATs

Other malware kits used in the Chinese-speaking campaigns included what appears to be a new variant of Gh0stRAT, which Proofpoint calls Sainbox.

“Nearly all the observed Sainbox campaigns used invoice-themed lures, which spoofed Chinese office and invoicing companies,” said Proofpoint. “The emails were typically sent from Outlook or other freemail addresses and contained URLs, or Excel attachments containing URLs, that linked to a zipped executable [file] that installed Sainbox.”

Proofpoint adds that it observed most of the campaigns using Sainbox between December and May.

Other malware used to target Chinese speakers included Purple Fox, which Proofpoint noted was spotted in at least three campaigns and was also leveraged against Japanese targets.

“While historic activity aligns with what Proofpoint considers Chinese-themed, it is rarely observed in our threat data,” the analyst said of the Purple Fox attacks. “Notably, one observed campaign used Japanese-language invoice themes targeting organizations in Japan to deliver zipped attachments that led to installation, while others used Chinese language invoice themed messages with URLs.”

ADVERTISEMENT

Multiple bad actors, but who are they?

The campaigns are believed to be the work of multiple threat groups, who may or may not be sharing tools and expertise.

“Proofpoint does not attribute all the Chinese-themed malware campaigns to the same threat actor at this time, but some activity clusters do overlap, suggesting threat actors may be using the same infrastructure to deliver multiple malware families,” it said.

Proofpoint did not speculate on the motives behind the cyberattacks, not it did it specify where the threat groups responsible originate from, but appears to believe that the intended victims are based on the Chinese mainland.

“The phrase ‘Chinese-themed’ is used to describe any of the observed content related to this malicious activity, including lures, malware, targeting, and any metadata that contains Chinese language usage,” it said.

It added: “Campaigns are generally low-volume and are typically sent to global organizations with operations in China. The email subjects and content are usually written in Chinese, and are typically related to business themes like invoices, payments, and new products.”

Proofpoint said that people targeted by the campaigns had “Chinese-language names spelled with Chinese-language characters” or company email addresses that appeared to mark them out as being businesses based in China.

ADVERTISEMENT