Several industrial organizations in the Asia-Pacific region have been targeted in a phishing campaign designed to deliver the FatalRAT malware.
According to Kaspersky ICS CERT, the threat actors utilized the legitimate Chinese cloud content delivery network (CDN) myqcloud and the Youdao Cloud Notes service as part of their attack infrastructure.
The attackers employed a complex multi-stage payload delivery framework to evade detection and ensure the successful execution of the malware.
The campaign has primarily targeted government agencies and industrial organizations in various sectors, including manufacturing, construction, and healthcare, in countries such as Taiwan, Malaysia, China, Japan, Thailand, South Korea, Singapore, the Philippines, Vietnam, and Hong Kong.
The phishing emails used in the campaign suggest that the attackers are targeting Chinese-speaking individuals, with the attachments and email content written in Chinese.
It is worth noting that FatalRAT campaigns have previously used fake Google Ads as a distribution vector, and in September 2023, Proofpoint documented another email phishing campaign that spread various malware families, including FatalRAT.
Both intrusion sets have primarily targeted Chinese-language speakers and Japanese organizations, with some activities attributed to the Silver Fox APT threat actor.
The attack chain begins with a phishing email containing a ZIP archive with a Chinese-language filename, which launches the first-stage loader and makes a request to Youdao Cloud Notes to retrieve a DLL file and a FatalRAT configurator.
The configurator module downloads configuration information from Youdao Cloud Notes and opens a decoy file to avoid raising suspicion, while the DLL is a second-stage loader responsible for downloading and installing the FatalRAT payload from a server specified in the configuration.
The campaign employs DLL side-loading techniques to advance the multi-stage infection sequence and load the FatalRAT malware, making it challenging to detect.
Kaspersky noted that the threat actor uses a “black and white” method, leveraging the functionality of legitimate binaries to make the attack chain appear like normal activity, and also employed a DLL side-loading technique to hide the persistence of the malware in legitimate process memory.
FatalRAT performs 17 checks to detect if it is being executed in a virtual machine or sandbox environment, and if any of the checks fail, the malware stops executing.
The malware terminates all instances of the rundll32.exe process, gathers system information, and awaits further instructions from a command-and-control (C2) server.
FatalRAT is a feature-packed trojan that can log keystrokes, corrupt the Master Boot Record (MBR), turn on/off the screen, search and delete user data in browsers, download additional software, perform file operations, start/stop a proxy, and terminate arbitrary processes.
While the identity of the attackers is currently unknown, Kaspersky has assessed with medium confidence that a Chinese-speaking threat actor is behind the campaign, based on the consistent use of Chinese-language services and interfaces throughout the attack.
The researchers noted that FatalRAT’s functionality provides an attacker with almost unlimited possibilities for developing an attack, including spreading over a network, installing remote administration tools, manipulating devices, stealing, and deleting confidential information.
The consistent use of Chinese-language services and interfaces in the attack suggests that a Chinese-speaking actor may be involved, and the tactical and instrumentation overlaps with other campaigns indicate that they may be related.
