Full Report
Cybersecurity researchers are warning of a new phishing campaign that's targeting users in Taiwan with malware families such as HoldingHands RAT and Gh0stCringe. The activity is part of a broader campaign that delivered the Winos 4.0 malware framework earlier this January by sending phishing messages impersonating Taiwan's National Taxation Bureau, Fortinet FortiGuard Labs said in a report
Analysis Summary
# Threat Actor: Silver Fox APT
## Attribution & Identity
The threat actor is identified as **Silver Fox APT**. The article notes that the malware families (HoldingHands RAT and Gh0stCringe) are variants of the Gh0st RAT, which is widely utilized by **Chinese hacking groups**.
## Activity Summary
Silver Fox APT is currently engaged in a phishing campaign specifically targeting users in **Taiwan**. This activity is part of a broader evolution by the group, which was previously observed running campaigns using the **Winos 4.0** malware framework in January of the same year. The current campaign focuses on delivering sophisticated RAT malware, namely **Gh0stCringe** and a variant of **HoldingHands RAT**, via malicious email attachments.
## Tactics, Techniques & Procedures
- **Initial Access via Phishing:** Emails masquerade as official communications from government bodies or business partners, using lures related to taxes, invoices, and pensions to encourage opening attachments.
- **Delivery via Documents:** Malware is delivered through malicious PDF documents or ZIP files contained within phishing emails.
- **Alternative Initial Access:** Some chains involve an embedded image that, when clicked, initiates the download of malware.
- **Multi-stage Infection:** Utilizes complex chains involving shellcode loaders and decrypted shellcode (DLLs).
- **DLL Sideloading:** Deploys malicious DLLs that are sideloaded by legitimate binaries.
- **Host Evasion/Persistence:** Intermediate payloads incorporate **anti-VM checks** and techniques for **privilege escalation**.
- **C2 Communications:** The final payload, identified as "msgDb.dat," implements command-and-control functions for data exfiltration and remote access.
## Targeting
- Sectors: General users/organizations targeted via lures referencing government/taxation (impersonating Taiwan's National Taxation Bureau) and general business communications.
- Geography: **Taiwan**.
- Victims: Not specified beyond the general targeting of users in Taiwan via phishing.
## Tools & Infrastructure
- Malware families used:
- **HoldingHands RAT** (a variant of **Gh0st RAT**)
- **Gh0stCringe** (a variant of **Gh0st RAT**)
- **Winos 4.0** (observed in earlier activity)
- Infrastructure:
- Targets are redirected via links within PDF documents to dedicated **document download HTM pages** hosting the ZIP archive payload.
- Command-and-control (C2) functions are implemented within the final dropper component ("msgDb.dat").
## Implications
Silver Fox APT demonstrates continuous evolution in both its malware framework (moving between Winos 4.0, HoldingHands, and Gh0stCringe) and its distribution strategies. The use of multi-stage infection chains involving DLL sideloading and anti-VM measures indicates a mature adversary group focused on deep persistence and evasion on compromised Taiwanese networks.
## Mitigations
- Enhance email security filters to detect and block phishing attempts using tax/invoice/pension lures.
- Implement strict controls over the execution of downloaded content, especially from PDFs and ZIP archives.
- Deploy robust endpoint detection and response (EDR) capable of detecting shellcode execution, DLL sideloading activity, and anti-VM checks.
- Harden systems against privilege escalation techniques often employed by advanced threats.