A cyberattack campaign targets Chinese-speaking users with fake apps that deliver malware to alter system defenses and exfiltrate data.
A sophisticated cyberattack campaign targeting Chinese-speaking users has seen cybercriminals weaponizing fake versions of popular apps such as Signal, Line, and Gmail. These malicious applications are distributed through deceptive download pages that deliver malware designed to alter system defenses, evade detection, and steal sensitive data.
The attackers manipulate search engine results to push fraudulent websites that closely resemble legitimate software sources, tricking unsuspecting users into downloading compromised files. The malicious files are typically packaged in ZIP archives containing Windows executables. Once executed, the malware follows a predictable pattern: extracting temporary files, injecting processes, modifying security settings, and establishing network communications.
Researchers at Hunt.io identified a fake Signal download page at z1.xiaowu[.]pw, which delivers a file named Sriguoei4.zip. Similarly, the spoofed Gmail page at ggyxx.wenxinzhineng[.]top tricks users into downloading Goongeurut.zip, which installs a fake application called “Gmail Notifier Pro.”
Execution and System Modification Upon execution, the malware uses advanced techniques to manipulate system defenses. A key example is the use of PowerShell commands to disable Windows Defender by excluding the entire C: drive from scanning, making the system vulnerable to further exploitation. The command used is:
powershell -Command "Add-MpPreference -ExclusionPath 'C:\'"
Additionally, the malware drops a secondary executable, such as svrnezcm.exe, into deeply nested directories within the AppData folder:
C:\Users\user\AppData\Roaming\41d8a4f\a27e8d998\445c22590\e5b2cb4562\svrnezcm.exe
This executable spawns more processes and communicates with command-and-control (C2) servers hosted on Alibaba infrastructure in Hong Kong. Examples of suspicious activity include DNS queries to zhzcm.star1ine[.]com and outbound TCP connections to 8.210.9[.]4 on port 45, suggesting data exfiltration or remote control operations.
Infrastructure and Security Measures The attackers rely on centralized infrastructure hosted at the IP address 47.243.192[.]62, which resolves to several malicious domains. To add legitimacy to their operations, they use Let’s Encrypt TLS certificates to secure their fake websites.
Recommendations for Users This campaign underscores the critical importance of verifying software sources and avoiding unofficial download sites. Users should stay vigilant against suspicious domains and use trusted platforms for software installations to effectively mitigate such cyber threats.
