Summary:
The CleverSoar installer is a sophisticated malware targeting Chinese and Vietnamese-speaking users, deploying the Nidhogg rootkit and Winos4.0 framework for espionage activities. It employs advanced evasion techniques to ensure successful infection and maintain persistence. This campaign highlights a significant threat to individual users and potentially organizations in the targeted regions.
#CleverSoar #Nidhogg #Winos4.0
The CleverSoar installer is a sophisticated malware targeting Chinese and Vietnamese-speaking users, deploying the Nidhogg rootkit and Winos4.0 framework for espionage activities. It employs advanced evasion techniques to ensure successful infection and maintain persistence. This campaign highlights a significant threat to individual users and potentially organizations in the targeted regions.
#CleverSoar #Nidhogg #Winos4.0
Keypoints:
- New malware installer named ‘CleverSoar’ identified targeting Chinese and Vietnamese-speaking victims.
- Deploys Nidhogg rootkit and Winos4.0 framework for keystroke logging and data exfiltration.
- Installer checks user language settings to ensure it only infects targeted regions.
- Initial version uploaded to VirusTotal in July 2024, with distribution peaking in November.
- Utilizes advanced evasion techniques to bypass security measures and maintain persistence.
- Malware creates services and scheduled tasks to ensure continuous operation and control.
- Rapid7 Labs suggests potential links to previous campaigns like ValleyRAT.
- Organizations in affected regions should monitor for suspicious activities related to these TTPs.
MITRE Techniques
- Command and Control (T1105): Utilizes a command-and-control framework for remote communication.
- Bypass User Account Control (T1562.001): Disables security solutions to facilitate infection.
- Check System Language (T1614.001): Verifies system language to target specific regions.
- Executable File Creation (T1218.007): Drops malicious files using a .msi installer.
- Process Injection (T1055): Writes into the lsass.exe process to execute malicious payloads.
- Create or Modify System Process (T1569.002): Creates a service to run the CleverSoar driver at startup.
- Scheduled Task (T1053): Creates a scheduled task for persistence upon user login.
- Disable Security Tools (T1562.004): Turns off Windows firewall to facilitate further actions.
- Modify Registry (T1112): Creates registry keys to store user information for further exploitation.
- Anti-Debugging (T1622): Implements checks to prevent debugging and analysis of the malware.
IoC:
- [file hash] F70b34e2b1716528a3c3fffdbfc008003b9685f1a4da2e5a6052612de92b0c68
- [ip address] 156.224.26.7
- [file name] 8848.twilight.zip
Full Research: https://blog.rapid7.com/2024/11/27/new-cleversoar-installer-targets-chinese-and-vietnamese-users/