Full Report
Various industrial organizations in the Asia-Pacific (APAC) region have been targeted as part of phishing attacks designed to deliver a known malware called FatalRAT. "The threat was orchestrated by attackers using legitimate Chinese cloud content delivery network (CDN) myqcloud and the Youdao Cloud Notes service as part of their attack infrastructure," Kaspersky ICS CERT said in a Monday
Analysis Summary
# Threat Actor: Undetermined Chinese-Speaking Actor (Associated with FatalRAT activity)
## Attribution & Identity
* **Attribution:** Assessed with medium confidence to be a Chinese-speaking threat actor by Kaspersky ICS CERT.
* **Associated Groups/Aliases:** Tactical overlaps suggest potential relationship with campaigns attributed to **Silver Fox APT**.
## Activity Summary
The threat actor is actively engaged in sophisticated, multi-stage phishing campaigns targeting industrial and governmental entities primarily in the Asia-Pacific (APAC) region. The primary goal appears to be the deployment of the FatalRAT backdoor. Recent activity leveraged legitimate Chinese cloud services for C2 and payload delivery. Previous FatalRAT campaigns have utilized bogus Google Ads and broader email phishing lures encompassing other malware like Gh0st RAT, Purple Fox, and ValleyRAT.
## Tactics, Techniques & Procedures
* **Delivery:** Phishing emails containing ZIP archives with Chinese-language filenames.
* **Evasion/Obfuscation:** Employment of a sophisticated, multi-stage payload delivery framework for evasion.
* **Initial Execution/Staging:** Launching the first-stage loader, which retrieves subsequent components (DLL file and FatalRAT configurator) from **Youdao Cloud Notes**.
* **C2 Communication/Payload Retrieval:** Configuration information is downloaded from `note.youdao[.]com`. The main FatalRAT payload is downloaded from a server hosted on `myqcloud[.]com`.
* **Techniques:**
* Use of **DLL side-loading techniques** during the infection sequence.
* Leveraging legitimate binaries ("black and white method") to mask activity.
* Displaying a fake error message after downloading the payload to avoid suspicion.
* **Malware Execution:** Performs 17 checks to detect execution within a virtual machine or sandbox environment before proceeding.
* **Persistence/Cleanup:** Terminates all instances of the `rundll32.exe` process.
## Targeting
* **Sectors:** Government agencies, Manufacturing, Construction, Information Technology, Telecommunications, Healthcare, Power and Energy, Large-scale Logistics and Transportation.
* **Geography:** Taiwan, Malaysia, China, Japan, Thailand, South Korea, Singapore, the Philippines, Vietnam, and Hong Kong (APAC region).
* **Victims:** Industrial organizations and government agencies.
* **Lures:** Attachments and context suggest the campaign is specifically designed to go after **Chinese-speaking individuals**.
## Tools & Infrastructure
* **Malware Families Used:**
* **FatalRAT** (Primary payload/backdoor)
* Gh0st RAT, Purple Fox, ValleyRAT (Mentioned in previous related campaigns)
* **Infrastructure:**
* Legitimate Chinese cloud CDN: `myqcloud[.]com`
* Note Service used for staging: **Youdao Cloud Notes**
* Configuration retrieval from: `note.youdao[.]com`
* **FatalRAT Capabilities:** Keystroke logging, MBR corruption, screen on/off control, browser data exfiltration (Chrome, IE), downloading RATs (AnyDesk, UltraViewer), file operations, proxy management, and arbitrary process termination.
## Implications
The actor demonstrates a high degree of technical sophistication by utilizing legitimate, trusted Chinese cloud services (Youdao, myqcloud) as part of their infection chain, specifically to deliver multi-stage payloads and evade detection. The comprehensive capabilities of FatalRAT suggest the actor seeks deep, long-term access for espionage, data theft, and full system compromise across critical APAC infrastructure sectors. The consistent targeting of Chinese-speaking individuals points toward a specific geopolitical or economic motive.
## Mitigations
* Implement robust email filtering to block known malicious attachments (e.g., ZIP archives) and monitor for suspicious sender addresses or content related to the APAC region.
* Monitor network traffic for connections to known C2 domains or requests for DLLs/configuration files hosted on legitimate, but abused, cloud services like Youdao Cloud Notes.
* Deploy Endpoint Detection and Response (EDR) solutions capable of detecting DLL side-loading techniques and in-memory execution of payloads.
* Ensure security solutions actively check for and block system manipulation activities, such as MBR corruption attempts.
* Apply strict application control policies to limit the execution of unsigned DLLs or unusual execution chains involving `rundll32.exe`.
* Maintain updated behavioral detection rules to recognize FatalRAT’s VM/sandbox evasion checks.