Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by a threat actor group, Void Arachne.
This group has targeted Chinese-speaking users by distributing malicious Windows Installer (MSI) files.
The campaign leverages popular software and AI technologies to lure unsuspecting victims, leading to severe security breaches and potential financial losses.
Void Arachne’s campaign primarily targets the Chinese-speaking demographic, utilizing SEO poisoning and widely used messaging applications such as Telegram.
According to the TrendMicro blogs, the hacker group has disseminated malicious MSI files embedded with nudifiers and deepfake pornography-generating software, exploiting the public’s interest in AI technologies.
Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan
These compromised files are advertised as legitimate software installers, including language packs, VPNs, and AI-powered applications.
Technical Analysis
The malicious MSI files, such as letvpn.msi, use Dynamic Link Libraries (DLLs) during installation.
These DLLs facilitate various operations, including property management, task scheduling, and firewall configuration.
The MSI file creates scheduled tasks and configures firewall rules to whitelist both inbound and outbound traffic associated with the malware, ensuring uninterrupted operation.
Table 1: Sample of Files Dropped by LetsPro.msi
File Name | Size | MD5 Hash | Parent Directory |
1 | 9996288 | D82362C15DDB7206010B8FCEC7F611C5 | C:\Users%USERNAME%\ |
792258.vbs | 2405 | CD95B5408531DC5342180A1BECE74757 | C:\Users%USERNAME%\ |
LetsPRO.exe | 40960 | FE7AEDAB70A5A58EFB84E6CB988D67A4 | C:\Users%USERNAME%\ |
Malicious AI Applications
Void Arachne has also promoted AI technologies that can be used for virtual kidnapping and sextortion schemes.
These include voice-altering and face-swapping AI applications advertised on Telegram channels.
The group has shared infected modifier applications that create nonconsensual deepfake pornography, often used in sextortion schemes.
Distribution Methods
Void Arachne employs multiple initial access vectors to distribute malware, including SEO poisoning and spear-phishing links.
These links are hosted on attacker-controlled websites disguised as legitimate sites, ranking high on search engines.
The group also shares malicious MSI files on Chinese-language-themed Telegram channels, increasing the chances of infection.
Table 2: Winos 4.0 External Plugins
Plugin Name in Chinese | Plugin Name in English | SHA256 Hash |
删除360急速安全账号密码.dll | Delete 360 Speed Security Account Password.dll | 03669424bdf8241a7ef7f8982cc3d0cf56280a5804f042961f3c6a111252ffd3 |
提权-EnableDebugPrivilege.dll | Elevate Privileges-EnableDebugPrivilege.dll | 11a96c107b8d4254722a35ab9a4d25974819de1ce8aa212e12cae39354929d5f |
体积膨胀.dll | Volume Expansion.dll | 186bf42bf48dc74ef12e369ca533422ce30a85791b6732016de079192f4aac5f |
Impact and Recommendations
The proliferation of these malicious MSI files poses a significant threat to organizations and individuals.
Malware can lead to system compromise, data theft, and financial losses.
Trend Micro has curated comprehensive resources to educate the community on identifying, preventing, and addressing sextortion attacks.
Victims are strongly advised to report incidents to relevant authorities, such as the Internet Crime Complaint Center (IC3).
Void Arachne’s campaign highlights the growing sophistication of cyber threats and the need for robust cybersecurity measures.
Individuals and organizations can protect themselves from such malicious campaigns by staying vigilant and adopting comprehensive security practices.
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free