Cybersecurity researchers are using malware families such as HoldingHands Rat and Gh0stringe to warn of new phishing campaigns targeting Taiwanese users.
The activity is part of a broader campaign that provided the Winos 4.0 malware framework in early January this year by sending phishing messages that impersonate Taiwan’s National Tax Agency, Fortinet Fortiguard Labs said in a report shared with Hacker News.
The cybersecurity company said it had identified additional malware samples through continuous monitoring and observed the same threat actors delivering GH0STCRINGE and malware stocks based on holding rats, using malware layer PDF documents or zip files distributed via phishing emails.
It is worth noting that both HoldingHands rats (aka GH0STBINS) and GH0STRinge are variations of known remote access trojans called GH0st rats, which are widely used in Chinese hacking groups.
The starting point for the attack is a phishing email spoofing a message from a government or business partner, employing lures related to taxes, invoices and pensions to persuade recipients to open attachments. Alternate attack chains are known to utilize embedded images that download malware when clicked.
The PDF file contains a link that redirects future targets to the download page that hosts the ZIP archive. Within the file you will find some legitimate executables, shellcode loaders, and encrypted shellcode.
Multistage infection sequences require the use of a shellcode loader. This is nothing more than a DLL file sideloaded by a legitimate binary using DLL sideloading techniques. The intermediate payload deployed as part of the attack includes anti-VMs and privilege escalations to ensure that the malware is not being blocked by the compromised host.
This attack reaches its peak with the execution of “MSGDB.DAT”. This allows Command and Control (C2) to work to collect user information and download additional modules to facilitate file management and remote desktop functionality.
Fortinet also found threat actors propagating gh0stringe via PDF attachments in phishing emails that record users to download HTM pages.
“The attack chain consists of numerous snippets of shellcode and loader that complicates the flow of the attack,” the company said. “Beyond Winos, HoldingHands and Gh0stringe, this threat group is continuing to evolve its malware and distribution strategies.”
