A recent cybersecurity analysis has uncovered a campaign targeting Chinese-speaking users through malicious installers of popular applications such as Signal, Line, and Gmail.
These backdoored executables exploit manipulated search engine results to lure unsuspecting users into downloading malware-laden files.
The attackers employ deceptive tactics, including fake download pages hosted on unrelated domains, to distribute these compromised applications.
Sophisticated Techniques Evade Detection
Unlike traditional phishing schemes that mimic official URLs, this campaign operates through generic and unrelated domain names such as “ggyxx.wenxinzhineng[.]top” and “linoo.wenxinzhineng[.]top.”
These domains are hosted on centralized infrastructure located on Alibaba servers in Hong Kong.
The attackers rely on search engine optimization (SEO) poisoning to direct users to these fraudulent pages, which deliver ZIP files containing executable malware.
Upon execution, the malware initiates a multi-step process that includes temporary file extraction, process injection, and system modification.
Notably, it uses PowerShell commands to disable Windows Defender by excluding the entire C:\ drive from scanning.
This tactic ensures that the malware can operate undetected while compromising the system.
Targeted Applications
The fake download pages impersonate widely used applications:
- Signal: The spoofed site “z1.xiaowu[.]pw” delivers a ZIP file named “Sriguoe-i4.zip,” which contains a Windows executable disguised as a Signal installer.
- Line: Two domains, “linoo.wenxinzhineng[.]top” and “linegut[.]com,” host similar malicious pages delivering files like “Levinech-en.zip.”
- Gmail: The fraudulent site “ggyxx.wenxinzhineng[.]top” masquerades as a login page but instead prompts users to download “Goongeurut.zip,” which installs a fake Gmail notifier application.
According to the Hunt researchers, the malware follows a consistent execution pattern.
After initial execution from the user’s desktop, it drops temporary files in the AppData directory and injects malicious processes into deeply nested paths.
It also establishes outbound connections to command-and-control (C2) servers for potential data exfiltration or further instructions.
Key indicators include:
- Domains: Hosted on Alibaba servers with IP addresses like 47.243.192[.]62.
- File Names: ZIP archives such as “Sriguoe-i4.zip” and executables like “svrnezcm.exe.”
- Network Activity: DNS queries to domains like “zhzcm.star1ine[.]com” and outbound TCP connections to IPs like 8.210.9[.]4.
This campaign highlights the evolving sophistication of malware distribution tactics targeting specific user demographics.
By leveraging non-branded domains and manipulating search engines, attackers aim to cast a wide net without directly impersonating official vendors.
Security professionals and users are urged to verify software sources rigorously and remain vigilant against untrusted download sites.
Enhanced threat detection measures can help mitigate risks posed by such advanced malware campaigns.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting –Â Register Here
