Threat Research

DeepSeek Deception: Sainbox RAT & Hidden Rootkit Delivery

Netskope
DeepSeek Deception: Sainbox RAT & Hidden Rootkit Delivery

Netskope Threat Labs uncovered a campaign using fake installers for popular Chinese software to deliver the Sainbox RAT and a Hidden rootkit, attributed with medium confidence to the Silver Fox group. The attackers employ phishing websites and MSI payloads that execute legitimate software alongside malicious components to maintain stealth and persistence. #SainboxRAT #SilverFox #HiddenRootkit

Keypoints

  • Netskope Threat Labs identified a malware campaign deploying fake MSI installers disguised as legitimate software like WPS Office, Sogou, and DeepSeek targeting Chinese speakers.
  • The campaign delivers the Sainbox RAT, a variant of Gh0stRAT, alongside a Hidden rootkit based on an open-source project to maintain stealth and persistence.
  • The infection starts from phishing websites delivering MSI or PE installers that execute a legitimate process (Shine.exe) which side-loads a malicious DLL named libcef.dll.
  • The malicious DLL sets persistence by adding the main binary to the Windows registry Run key and loads shellcode stored in a dropped “1.txt” file.
  • The shellcode reflectively loads the Sainbox RAT DLL (“Install.dll”) and executes its exported function “Shellex,” enabling full attacker control over the system.
  • The embedded rootkit is installed as a service named “Sainbox” to conceal processes, files, and registry entries and protect the malware from detection and termination.
  • The campaign is attributed with medium confidence to the China-based Silver Fox group based on TTPs, targeting, and malware variants used.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The malicious DLL reads a shellcode payload from a “1.txt” file and executes it to load the RAT DLL. (“reads the content of the ‘1.txt’ file into a buffer, allocates memory, and writes the read content to it”)
  • [T1547] Boot or Logon Autostart Execution – The malware sets a Run key named “Management” in the Windows registry to maintain persistence. (“sets the path of the main binary… to the Windows registry Run key with the name ‘Management’”)
  • [T1036] Masquerading – Fake installers mimic popular legitimate Chinese software such as WPS Office and Sogou to trick victims. (“multiple installers disguised as legitimate software, including WPS Office, Sogou, and DeepSeek”)
  • [T1105] Ingress Tool Transfer – Fake installers delivered from phishing websites download and install malicious payloads. (“phishing websites delivering MSI payloads”)
  • [T1204] User Execution – The victim is tricked into running the fake installer from phishing sites. (“victim accesses a phishing website and downloads a fake installer”)
  • [T1050] New Service – The rootkit installs and starts a service named “Sainbox” to load the rootkit driver. (“The RAT creates a service named ‘Sainbox’ for the rootkit and loads it using the NtLoadDriver function”)
  • [T1035] Service Execution – NtLoadDriver function is used to load the rootkit driver for stealth and persistence. (“loads it using the NtLoadDriver function”)

Indicators of Compromise

  • [File Names] Fake installer components – Shine.exe (legitimate loader), libcef.dll (malicious DLL), 1.txt (shellcode and malware payload), Install.dll (Sainbox RAT DLL)
  • [File Types] MSI installers used to deliver payloads targeting WPS Office, Sogou, and DeepSeek software applications.
  • [Registry] Persistence Run key – “Management” key in Windows registry set to launch Shine.exe at startup.
  • [Service] Windows service named “Sainbox” used to load the Hidden rootkit driver.

Read more: https://www.netskope.com/blog/deepseek-deception-sainbox-rat-hidden-rootkit-delivery