Silver Fox APT (also known as Void Arachne) has intensified cyberattacks against Taiwan using sophisticated malware variants linked to the Gh0st RAT family, including Winos 4.0 and ValleyRAT. While “Gh0stCringe” and “HoldingHands RAT” are not explicitly named in recent reports, the group’s tactics align with evolving Gh0st RAT derivatives.
Campaign Overview
- Primary Targets: Taiwanese government agencies, industrial sectors (energy, logistics), and healthcare institutions.
- Delivery Methods: Phishing emails impersonating Taiwan’s National Taxation Bureau, trojanized medical imaging software (Philips DICOM viewers), and malicious gaming applications.
Malware Tools
- Winos 4.0/ValleyRAT: A remote access trojan (RAT) derived from Gh0st RAT, enabling data theft, screen capture, and crypto-mining.
- Nidhogg Rootkit: Deployed alongside Winos 4.0 to evade detection.
- TrueSightKiller: Disables antivirus and EDR solutions.
Key Attack Chains
- Tax Bureau Phishing Campaign:
- Emails impersonate tax authorities, urging recipients to open malicious attachments labeled as inspection lists.
- Executes Winos 4.0, which establishes persistence, exfiltrates data, and connects to Alibaba Cloud C2 servers.
- Healthcare Sector Exploitation:
- Trojanized Philips DICOM viewers distribute ValleyRAT, which deploys:
- Keyloggers: Capture credentials and patient data.
- Crypto Miners: Exploit system resources for financial gain.
- Uses PowerShell to weaken Windows Defender and cloud storage for payload delivery.
- Gaming and Software Lures:
- Malicious MSI installers mimic legitimate apps (e.g., Steam games, WPS Office).
- Targets Chinese-speaking users with SEO-poisoned download links.
Technical Sophistication
- Evasion Tactics: Code obfuscation, process injection, and geographic checks (terminating infections if the system language isn’t Chinese/Vietnamese).
- Infrastructure: Leverages Alibaba Cloud for C2 communication and payload storage.
- Espionage Goals: Long-term network access, financial data theft, and destabilization of critical infrastructure.
