Fortinet FortiGuard Labs and Zscaler have recently identified an elaborate cyber campaign, targeting Chinese-speaking internet users through sophisticated SEO-poisoning tactics. This effort uses cleverly masked domains to falsely represent legitimate software sites, tricking users into downloading compromised installers. Among various threats, kkRAT stands out as a significant concern, displaying functionality that marks it as a robust remote access tool, akin to Gh0stRAT and Big Bad Wolf.
Deceptive SEO Techniques
The attackers registered domains mimicking popular software such as DeepL, Chrome, and Signal. These sites, optimized to appear prominently in search results, host trojanized versions of software that unsuspecting users download, believing them to be genuine. Fortinet’s research highlighted the deployment of the malicious nice.js script, harnessing multiple JSON redirects to direct users to a nefarious payload that instigates a chain of events compromising system integrity.
The Intricate Malware Delivery Chain
Upon execution, this payload incorporates a well-orchestrated sequence, initiating with EnumW.dll, to conduct anti-analysis activities and exhaust system memory as a diversion tactic. Subsequently, another DLL scrutinizes the presence of 360 Total Security, proceeding with either an antivirus-specific evasion method or creating a startup shortcut for persistence through the execution of insalivation.exe. The deployment culminates with the sideloading of AIDE.dll, responsible for encrypted command-and-control operations and monitoring user activity.
In parallel, Zscaler ThreatLabz detected the dissemination of kkRAT, an elusive threat sharing its codebase with Gh0stRAT and emboldened by advanced encrypted communications and dynamic plugin capabilities.
Capabilities and Tactics of kkRAT
kkRAT is engineered to execute numerous malicious activities, such as logging keystrokes, capturing screenshots, manipulating clipboard data, and hijacking cryptocurrency transactions. The malware is notorious for using GitHub Pages to deliver misleading installers and utilizing sandbox and virtual machine checks to evade detection. It demands administrative privileges to control network adapters, undermining security defenses.
Moreover, kkRAT’s designers opted for a sophisticated Bring-Your-Own-Vulnerable-Driver (BYOVD) strategy. This involves exploiting publicly accessible source code to circumvent antivirus measures. Key targets of this approach included renowned security products such as 360 Internet Security and QQ PC Manager.
Countering the Threat
The malicious operations extend to deploy shellcode (notably 2025.bin) which facilitates the download of malicious elements bundled within ZIP archives. This chain ultimately results in executing a legitimate binary through a startup shortcut, masked with a malicious DLL to unfold its full potential.
kkRAT’s repertoire allows for screen capture, emulating user inputs, manipulating registries for persistence, and redirecting network traffic to bypass standard security barriers. Businesses are encouraged to remain vigilant, continuously inspecting domain authenticity, and tracking suspicious activity within their networks. Prioritizing the detection of DLL sideloading, BYOVD techniques, and clipboard hijacking offers a crucial defensive layer against this sophisticated malware threat.
Security analysts emphasize the imperative to maintain a proactive posture, deploying comprehensive detection strategies designed to counteract these advanced evasion techniques, ensuring the integrity and safety of business operations in a digitized world.
