Chinese malware is flooding GitHub pages - HiddenGh0st, Winos and kkRAT hit devs via SEO poisoning

6 hours ago 3

Trojan horse on top of blocks of hexadecimal programming codes. 3D illustration of the concept of online hacking, computer spyware, malware and ransomware.

(Image credit: Shutterstock)

Chinese users are being targeted by malware campaigns using spoofed download sites and SEO poisoning
kkRAT features advanced capabilities including clipboard hijacking, remote monitoring, and antivirus evasion
Attackers exploited GitHub Pages to host phishing sites

Chinese users looking to download popular browsers and communications software are being targeted by different malware variants, granting attackers remote access capabilities. This is according to multiple cybersecurity organizations, including Fortinet FortiGuard Labs, and Zscaler ThreatLabz.

The former discovered an SEO poisoning campaign to deliver two Remote Access Trojans (RAT) - HiddenGh0st, and Winos - both variants of the infamous Gh0st RAT.

In the campaign, the threat actors created spoofed download pages for programs such as DeepL Translate, Google Chrome, Signal, Telegram, WhatsApp, and WPS Office, on typosquatted domains.

Stealing crypto and disabling AV

They then manipulated search rankings using different SEO plugins to trick people searching for these programs into visiting the wrong sites. The download seemingly deploys the wanted program, but the installer is trojanized, also serving one of the above-mentioned trojans.

At the same time, researchers from Zscaler observed a previously unknown trojan, called kkRAT, being disseminated. This campaign started in May this year and also includes Winos and FatalRAT.

kkRAT’s code is similar to that of Gh0st RAT and Big Bad Wolf, Zscaler explained: “kkRAT employs a network communication protocol similar to Ghost RAT, with an added encryption layer after data compression. The RAT's features include clipboard manipulation to replace cryptocurrency addresses and the deployment of remote monitoring tools (i.e. Sunlogin, GotoHTTP)."

It is also capable of killing antivirus software before running any malicious activity, to better hide its presence. Among the AV solutions targeted by the trojan are 360 Internet Security suite, 360 Total Security, HeroBravo System Diagnostics suite, and others.

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Unlike Fortinet’s discovery, in this campaign the phishing sites are hosted on GitHub pages, leaning into the trust that the platform enjoys with its community to distribute the trojans. The GitHub account used in this campaign has since been terminated.

Via The Hacker News

CISA is warning of a worrying Git security flaw, so stay alert
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read Entire Article