Threat actors used SEO poisoning to place fake KakaoTalk download pages at the top of search results and distributed a malicious installer that infected over 5,000 PCs. The installer uses an invalid NetEase signature, decrypts and drops components (Verifier.exe, AutoRecoverDat.dll, GPUCache.xml/GPUCache2.xml) to establish persistence, add Windows Defender exclusions, and connect to C2 servers running Winos4.0. #Winos4.0 #KakaoTalk
Keypoints
- Threat actors used SEO poisoning to promote fake KakaoTalk download pages and lure users to malicious installers that mimicked the official site.
- ASEC confirmed approximately 5,000+ PCs were infected by the fake KakaoTalk installer first observed around March 9.
- The installer is an NSIS package that decrypts embedded payloads and drops components including Verifier.exe and AutoRecoverDat.dll, while also creating a legitimate-looking KakaoTalk_Setup.exe and shortcut.
- The malware adds Defender exclusion paths via a PowerShell command and achieves persistence by registering a DLL and creating scheduled tasks under MicrosoftWindowsAppID.
- The payload loads ShellCode (Profiler.json, GPUCache.xml/GPUCache2.xml) which contains an embedded DLL executed in memory; the embedded malware is identified as Winos4.0.
- C2 behavior and configuration vary by which ShellCode is loaded (GPUCache.xml uses 192.238.129[.]47:18852; GPUCache2.xml uses 119.28.70[.]225:443), and the malware can execute additional payloads received from C2 in memory.
MITRE Techniques
- [T1204.002 ] User Execution: Malicious File – The attack relies on users downloading and running a fake installer placed in search results (‘when downloading the installation file from the fake site, malware with the image of KakaoTalk is downloaded’).
- [T1059.001 ] Command and Scripting Interpreter: PowerShell – The installer executes a PowerShell command to modify Defender preferences (‘cmd.exe /C powe…rsh…ell.exe -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionPath C:, D:,E:,F:’).
- [T1105 ] Ingress Tool Transfer – Final malware and payloads are fetched from attacker-controlled URLs (‘hxxps://download.i96l6[.]top/KakaoTalk_Setup_patched.RAR’, ‘hxxps://xinjiapox.oss-ap-southeast-1.aliyuncs[.]com/KakaoTa2258.zip’).
- [T1036 ] Masquerading – The threat actors created fake sites that mimic official branding to appear legitimate (‘fake site created by threat actors utilizing KakaoTalk characters and logos to look similar’).
- [T1620 ] Reflective Code Loading – The Profiler.json ShellCode uses a reflective DLL loader to load an embedded DLL into memory (‘Profiler.json ShellCode (Reflective DLL Loader, sRDI open source)’).
- [T1053.005 ] Scheduled Task/Job – Persistence is established via scheduled tasks under MicrosoftWindowsAppID executing Verifier.exe and rundll32 with AutoRecoverDat.dll (‘Task1: .NET Framework adv v6.0.4232 Action: %LocalAppData%Verifier.exe’, ‘Task2: .NET Framework JDAH v7.7 Action: rundll32.exe %AppData%EmbarcaderoAutoRecoverDat.dll, DllRegisterServer’).
- [T1562.001 ] Impair Defenses: Disable or Modify Tools – The installer adds Defender exclusion paths to weaken detection (‘Add-MpPreference -ExclusionPath C:, D:,E:,F:’).
- [T1071.001 ] Application Layer Protocol: Web Protocols – C2 communication is performed over standard web protocols/ports (examples: ‘C2 : 119.28.70[.]225 Port : 443’, ‘C2 : 192.238.129[.]47 Port : 18852’).
Indicators of Compromise
- [MD5 ] Distributed malicious installer samples – 0ab84f52d043f7a7af54bd4df0331d64, 108849450dd8410bf6217c9a7af82ab3 (and 3 more hashes).
- [URL ] Malicious download and hosting domains used for payload delivery – https[:]//download[.]i96l6[.]top/KakaoTalk_Setup_patched[.]rar, https[:]//xinjiapox.oss-ap-southeast-1[.]aliyuncs[.]com/KakaoTa2258[.]zip (and other redirector pc-kakaocorp[.]com).
- [IP ] Command-and-control servers observed – 119[.]28[.]70[.]225 (C2 for GPUCache2.xml over port 443), 192[.]238[.]129[.]47 (C2 for GPUCache.xml over port 18852).
- [File Name ] Key malicious components dropped/used by the installer – Verifier.exe, AutoRecoverDat.dll (which loads GPUCache.xml/GPUCache2.xml).
- [Domain ] Fake site domain used to impersonate official download page – pc-kakaocorp[.]com (used to host the fake KakaoTalk download page).
Read more: https://asec.ahnlab.com/en/92971/