Full Report
A new campaign has been observed leveraging fake websites advertising popular software such as WPS Office, Sogou, and DeepSeek to deliver Sainbox RAT and the open-source Hidden rootkit. The activity has been attributed with medium confidence to a Chinese hacking group called Silver Fox (aka Void Arachne), citing similarities in tradecraft with previous campaigns attributed to the threat actor.
Analysis Summary
# Threat Actor: Silver Fox (aka Void Arachne)
## Attribution & Identity
Attributed with medium confidence to a Chinese hacking group known as **Silver Fox** (also referenced as **Void Arachne**). This attribution is based on similarities in tradecraft with previous campaigns.
## Activity Summary
The actor is currently engaged in a campaign using **fake software download websites** (e.g., impersonating WPS Office, Sogou, and DeepSeek) to distribute malware via malicious MSI installers written in the Chinese language. This activity mirrors past operations where they used similar deceptive websites to target Chinese speakers.
**Historical Activities/Campaigns mentioned:**
* **July 2024:** Targeted Chinese-speaking Windows users with fake Google Chrome sites to deliver Gh0st RAT.
* **February (of reporting year):** Used bogus sites advertising Google Chrome to distribute ValleyRAT (Winos 4.0).
* **September 2023 (Reference):** ValleyRAT was previously documented in a campaign targeting Chinese-speaking users with Sainbox RAT and Purple Fox.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Using highly deceptive, **fake websites** advertising popular software (WPS Office, Sogou, DeepSeek, Google Chrome) to trick users into downloading malicious MSI installers.
- **Execution:** The malicious MSI installer executes a legitimate-looking executable (`shine.exe`) which then **sideloads a rogue DLL (`libcef.dll`)** via DLL side-loading.
- **Payload Execution:** The rogue DLL extracts and executes shellcode from a text file (`1.txt`) to ultimately load a secondary DLL payload (the RAT).
- **Defense Evasion/Persistence:** Deploying the open-source **Hidden rootkit**, which provides capabilities to hide malware-related processes and Windows Registry keys.
- **Use of Commodity/Open-Source Tools:** Leveraging variants of commodity RATs (like Gh0st RAT) and open-source rootkits (like Hidden) to maintain control while minimizing custom development.
## Targeting
- **Sectors:** Not explicitly stated, but the reliance on common software installers suggests broad targeting through user trickery.
- **Geography:** **China**, indicated by the use of Chinese-language malicious installers and targeting of Chinese-speaking users in past campaigns (e.g., Sogou, WPS Office).
- **Victims:** Chinese-speaking Windows users. Specific organizations were not named for the latest campaign, but previous campaigns targeted users interested in software like Google Chrome.
## Tools & Infrastructure
- **Malware Families Used:**
* **Sainbox RAT** (a variant of Gh0st RAT).
* **Hidden Rootkit** (open-source kernel rootkit variant).
* **ValleyRAT** (Winos 4.0, another version of Gh0st RAT).
* Gh0st RAT (mentioned generally).
- **Infrastructure:**
* Fake Phishing Websites: `wpsice[.]com` (defanged URL).
* Delivery Mechanism: Malicious **MSI installers**.
* Internal Data: Shellcode extracted from `1.txt`, payloads embedded within the `.data` section of the primary binary.
## Implications
Silver Fox presents a persistent threat, relying on tried-and-true social engineering tactics (fake software sites) combined with the dual advantage of established remote access tools (Sainbox/Gh0st RAT) for control and open-source kernel-level tooling (Hidden) for **advanced stealth and persistence**. The reuse of these techniques implies a mature operation focused on maintaining long-term access on compromised Chinese-speaking systems.
## Mitigations
- Implement strong controls against the execution of downloaded application installers (MSI packages) from untrusted sources.
- Deploy application control solutions to restrict the execution of potentially suspicious DLLs or sideloading activities within legitimate processes (`shine.exe`).
- Use endpoint detection and response (EDR) solutions capable of detecting suspicious kernel-level activity characteristic of rootkits like Hidden.
- Enhance user awareness training, specifically focusing on verifying the authenticity of software download portals, especially for major Chinese applications.