Full Report
The threat actors behind a malware family known as Winos 4.0 (aka ValleyRAT) have expanded their targeting footprint from China and Taiwan to target Japan and Malaysia with another remote access trojan (RAT) tracked as HoldingHands RAT (aka Gh0stBins). "The campaign relied on phishing emails with PDFs that contained embedded malicious links," Pei Han Liao, researcher with Fortinet's FortiGuard
Analysis Summary
# Threat Actor: Silver Fox
## Attribution & Identity
* **Primary Name:** Silver Fox
* **Known Aliases:** SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, Void Arachne.
* **Associated Groups/Malware:** Linked to the aggressive Chinese cybercrime group operating with Winos 4.0 (aka ValleyRAT) and HoldingHands RAT (aka Gh0stBins). Both malware families are inspired by the leaked Gh0st RAT source code.
## Activity Summary
Silver Fox has expanded its targeting from China and Taiwan to include **Japan and Malaysia**.
* **Recent Campaigns (Japan/Malaysia):** Utilized phishing emails containing PDFs with malicious links, masquerading as official documents from the Ministry of Finance. In Malaysia, they used fake landing pages, starting with an executable claiming to be an excise audit document, to deliver HoldingHands RAT.
* **Historical Campaigns (China/Taiwan):**
* Distributed Winos 4.0 via phishing and SEO poisoning, directing users to fake software download sites (e.g., Google Chrome, Telegram, Sogou AI).
* Used taxation-themed Microsoft Excel lures in attacks targeting China as far back as March 2024 to distribute Winos.
* Targeted Taiwan and Japan in June using phishing emails with booby-trapped PDFs to deploy HoldingHands RAT.
* **Recent Technique Focus:** The group previously engaged in a Bring Your Own Vulnerable Driver (BYOVD) attack using a vulnerable WatchDog Anti-malware driver to disable security software.
## Tactics, Techniques & Procedures
* **Initial Access (Phishing):** Used phishing emails containing malicious links embedded in PDF documents (e.g., posing as Ministry of Finance documents or tax regulation drafts).
* **Initial Access (SEO Poisoning):** Directing users searching for legitimate software to compromised websites promoting malware distribution.
* **Delivery via Lures:** Employed lures like tax regulation drafts (specific to Taiwan) or excise audit documents (specific to Malaysia).
* **Execution Chain:** The Malaysia campaign involved an executable masquerading as an audit document which sideloaded a malicious DLL functioning as a shellcode loader for the "sw.dat" payload.
* **Defense Evasion:** The executed payload performs anti-virtual machine (VM) checks and enumerates active processes, specifically terminating security products from Avast, Norton, and Kaspersky.
* **Persistence/Disabling Security:** Attempts to escalate privileges and terminates the Windows Task Scheduler service.
* **BYOVD:** Documented use of leveraging vulnerable drivers (e.g., WatchDog Anti-malware) to bypass security controls.
* **Malware Inspiration:** Utilizes malware variants inspired by Gh0st RAT.
## Targeting
* **Sectors:** Finance (implied by Ministry of Finance lures), general software users (via fake software download sites).
* **Geography:** China, Taiwan, **Japan (new focus)**, **Malaysia (new focus)**.
* **Victims:** Not specified beyond geographic regions; targeting appears broad within those regions based on malware distribution methods.
## Tools & Infrastructure
* **Malware Families Used:**
* Winos 4.0 (aka ValleyRAT)
* HoldingHands RAT (aka Gh0stBins)
* HiddenGh0st (associated module)
* **Infrastructure:**
* One specific URL documented for the HoldingHands RAT deployment targeting Japan/Taiwan: `twsww[.]xin/download[.]html` (Defanged: `twsww[.]xin/download[.]html`)
* **Payload Components (Malaysian Campaign Files):** `sw.dat`, `svchost.ini`, `TimeBrokerClient.dll` (renamed to `BrokerClientCallback.dll`), `msvchost.dat`, `system.dat`, `wkscli.dll`.
## Implications
Silver Fox demonstrates an aggressive, financially motivated campaign structure, actively expanding its geographic reach from core East Asian targets (China/Taiwan) into Southeast Asia (Malaysia) and Japan. The evolution from broad SEO poisoning (Winos 4.0) to using targeted social engineering via official documents (tax/finance lures) and complex execution chains (sideloading, VM checks via HoldingHands RAT) indicates a maturing and adaptable cybercrime operation. The continued reliance on Gh0st RAT variants keeps them relevant in the threat landscape.
## Mitigations
* Implement stringent email filtering to block malicious links commonly found in PDF attachments masquerading as official government or financial documents.
* Be vigilant regarding software downloads sourced outside of official application stores, particularly those claiming to be updates for popular tools like Chrome or common office suites, due to Winos 4.0 distribution via SEO poisoning.
* Employ robust endpoint detection and response (EDR) or anti-malware solutions capable of detecting and blocking known anti-VM and anti-security process termination routines. Monitor for unusual modifications to the Task Scheduler service recovery settings.
* If possible, audit driver signing policies and patch systems immediately to prevent Bring Your Own Vulnerable Driver (BYOVD) exploits, specifically concerning anti-malware drivers.