"Also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne, Silver Fox is the name assigned to an aggressive cybercrime group from China that has been active since 2022. It has a track record of orchestrating a variety of campaigns whose motives range from espionage and intelligence collection to financial gain, cryptocurrency mining, and operational disruption, making it one of the few hacking crews with a multi-pronged approach to their intrusion activity."
"Specifically, opening the PDF attachment takes the recipient to the "ggwk[.]cc" domain, from where a ZIP file ("tax affairs.zip") is downloaded. Present within the archive is a Nullsoft Scriptable Install system (NSIS) installer of the same name ("tax affairs.exe"), which, in turn, leverages a legitimate executable associated with Thunder ("thunder.exe"), a download manager for Windows developed by Xunlei, and a rogue DLL ("libexpat.dll""
Silver Fox targeted India with income tax-themed phishing to distribute the modular ValleyRAT (Winos 4.0). Phishing emails contained decoy PDFs that redirected recipients to ggwk[.]cc, where a ZIP named "tax affairs.zip" was downloaded. The archive included an NSIS installer ("tax affairs.exe") that invoked a legitimate Thunder executable ("thunder.exe") and a rogue libexpat.dll to enable DLL hijacking. The kill chain provides persistence through modular RAT functionality and DLL hijacking. Silver Fox, active since 2022, pursues espionage, intelligence collection, financial gain, cryptocurrency mining, and disruption, and has broadened targets across public, financial, medical, and technology sectors.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]