Financially Motivated Hacks by Chinese-Speaking Actors SurgeThese Hackers May Equal or Surpass Threat Posed by Russian Hackers, Researchers Say
Chinese-speaking hackers associated with criminal activity have redoubled efforts to target compatriots with malware to remotely control victim computers, pointing to a worrying surge in financially driven activity in the Sino cyber underworld.
Researchers at Proofpoint said they've spotted a "minor resurgence" of the Sainbox remote access Trojan as well as a newly identified Trojan they dub "ValleyRAT" being delivered through emails usually written in Chinese. The lures typically relate to business themes such as invoices, payments and new products, and the malware is hidden in Excel documents and PDFs or malicious links. Sainbox, also known as FatalRAT, is a variant of the commodity malware Gh0st RAT, which researchers first identified in 2008.
The emergency of novel and older Chinese-themed malware suggests that financially motivated Chinese hackers may come to equal or surpass the threat posed by Russian hackers, Proofpoint said. Western nations routinely accuse Russia of permitting a criminal underground to fester inside its border (see: Western Capitals Riled by Russian Hacking).
The United States associates Chinese hacking more closely with cyberespionage and intellectual property theft, although some state-sponsored hackers have moonlighted by conducting financially motivated attacks on the side.
One reason for Proofpoint's warning over the mounting threat of Sino criminal hacking is that the Trojans showing up in the inboxes of Chinese speakers don't appear to come from a single entity but rather "a cluster of activity." It's possible that multiple threat actors are using the same infrastructure to deliver multiple malware families, Proofpoint said. Further, "these recently identified activity clusters have demonstrated flexible delivery methods, leveraging both simple and moderately complex techniques."
In all, Proofpoint observed more than 30 separate campaigns "leveraging malware typically associated with Chinese cybercrime activity." Besides Sainbox and the novel ValleyRAT, researchers also saw hackers deploying Purple Fox malware.
Hackers behind the activity also appear to have ambitions to branch out from Chinese-speaking victims. In one campaign, they targeted Japanese organizations.