Silver Fox Group Uses Fake Software Sites to Deploy Sainbox RAT and Hidden Rootkit

         A new cyber campaign attributed to the Chinese hacking group Silver Fox (also known as Void Arachne) has been uncovered, utilizing fake websites that advertise popular software like WPS Office to deliver the Sainbox Remote Access Trojan (RAT) and the open-source Hidden rootkit.

Silver Fox Group Uses Fake Software Sites to Deploy Sainbox RAT and Hidden RootkitSilver Fox Group Uses Fake Software Sites to Deploy Sainbox RAT and Hidden Rootkit

The phishing sites, such as "wpsice[.]com," distribute malicious MSI installers in Chinese, targeting Chinese-speaking users. According to Netskope Threat Labs researcher Leandro Fróes, the malware includes Sainbox RAT, a variant of Gh0st RAT, and the Hidden rootkit.

This tactic is not new for Silver Fox; previous campaigns have targeted Chinese users with fake Google Chrome sites and other bogus platforms to deliver similar malware.

Silver Fox Group Uses Fake Software Sites to Deploy Sainbox RAT and Hidden RootkitSilver Fox Group Uses Fake Software Sites to Deploy Sainbox RAT and Hidden Rootkit

       In the latest attack, the malicious installers execute a legitimate file named "shine.exe," which sideloads a rogue DLL, "libcef.dll." This DLL extracts shellcode from a text file and ultimately deploys the Sainbox RAT.

The Sainbox RAT can download additional payloads and steal data, while the Hidden rootkit helps conceal malware processes and registry keys. By leveraging these tools, attackers can maintain control and stealth without extensive custom development.