Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,223
- Points
- 113
China's KnownSec404 has submitted a report on SilverFox, which appears to have shifted its focus from the financial sector to cyber espionage.
Starting in 2022, according to the researchers, Silver Fox has become more active in China, using various channels (mail, phishing sites and instant messengers) to distribute Trojans.
This time, their focus has shifted to cybersecurity institutions and companies, which forces them to reconsider the targets of this group's attacks.
The disclosure of the recent Silver Fox attack began with tracking phishing sites and related malicious files.
The group's arsenal included the Winos Trojan, the unknown UpdateDll loader, and the PowerShell Out-EncodedSpecialCharOnlyCommand obfuscation tool.
Moreover, Winos has previously been repeatedly used by Silver Fox in previous attacks targeting tax and financial employees.
All current Winos samples implement VMP (Virtual Machine Protect) to protect the code. The registry entry that stores the shellcode in this case is "HKCU \ Console\huorongniubi".
The functionality and code flow in other parts are almost the same as in earlier versions.
Initial loader sample, originally named Simple_ATL.DLL, basically functions by writing hard-coded data to C:\Windows\system32\UpdateDll.dll and then execute them using rundll32.
The main function exported by UpdateMyDll is loading a DLL from the specified address and executing it.
Out-EncodedSpecialCharOnlyCommand is a tool that converts PowerShell script code into pure character code that can be used by attackers to improve obfuscation of malicious payloads.
The principle of the tool is to convert PowerShell code into unintelligible character code using a custom character mapping table.
New Winos samples indicate that SilverFox is making additional efforts to counteract analysis and actively expand its arsenal, but may be part of a disguise for another APT.
Starting in 2022, according to the researchers, Silver Fox has become more active in China, using various channels (mail, phishing sites and instant messengers) to distribute Trojans.
This time, their focus has shifted to cybersecurity institutions and companies, which forces them to reconsider the targets of this group's attacks.
The disclosure of the recent Silver Fox attack began with tracking phishing sites and related malicious files.
The group's arsenal included the Winos Trojan, the unknown UpdateDll loader, and the PowerShell Out-EncodedSpecialCharOnlyCommand obfuscation tool.
Moreover, Winos has previously been repeatedly used by Silver Fox in previous attacks targeting tax and financial employees.
All current Winos samples implement VMP (Virtual Machine Protect) to protect the code. The registry entry that stores the shellcode in this case is "HKCU \ Console\huorongniubi".
The functionality and code flow in other parts are almost the same as in earlier versions.
Initial loader sample, originally named Simple_ATL.DLL, basically functions by writing hard-coded data to C:\Windows\system32\UpdateDll.dll and then execute them using rundll32.
The main function exported by UpdateMyDll is loading a DLL from the specified address and executing it.
Out-EncodedSpecialCharOnlyCommand is a tool that converts PowerShell script code into pure character code that can be used by attackers to improve obfuscation of malicious payloads.
The principle of the tool is to convert PowerShell code into unintelligible character code using a custom character mapping table.
New Winos samples indicate that SilverFox is making additional efforts to counteract analysis and actively expand its arsenal, but may be part of a disguise for another APT.
