A sophisticated cyberattack campaign targeting Chinese-speaking users, malicious actors have weaponized fake versions of popular applications such as Signal, Line, and Gmail.<\/p>\n
These fake and weaponized apps are distributed via deceptive download pages that deliver malware capable of altering system defenses, evading detection, and exfiltrating sensitive data.<\/p>\n
The attackers exploit search engine manipulation to push fraudulent websites<\/a> that mimic legitimate software sources, luring unsuspecting users into downloading compromised executables.<\/p>\n The malicious files are typically delivered in ZIP archives containing Windows executables. Upon execution, the malware follows a consistent pattern: extracting temporary files, injecting processes, modifying security settings, and establishing network communications.<\/p>\n Researchers at Hunt.io noted<\/a> that the fake Signal download page at Once executed, the malware employs advanced techniques to manipulate system defenses.<\/p>\n One notable example involves the use of PowerShell commands to disable Windows Defender<\/a> by excluding the entire C: drive from scanning.<\/p>\n The command used is as follows:<\/p>\n This effectively renders the system vulnerable to further exploitation. The malware also drops a secondary executable, such as svrnezcm.exe<\/em>, into deeply nested directories within the AppData folder:<\/p>\n This executable spawns additional processes and communicates with command-and-control (C2) servers hosted on Alibaba infrastructure in Hong Kong.<\/p>\n For example, DNS queries to The campaign relies on centralized infrastructure hosted at IP address The attackers also utilize Let\u2019s Encrypt TLS certificates to secure their spoofed websites<\/a>, adding a layer of credibility to their operations.<\/p>\n This campaign shows the importance of verifying software sources and avoiding unofficial download sites.<\/p>\n Users should remain vigilant against suspicious domains<\/a> and rely on trusted platforms for software installations to mitigate such threats effectively.<\/p>\n The post Weaponized Signal, Line, and Gmail Apps Delivers Malware That Changes System Defenses<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nz1.xiaowu[.]pw<\/code> delivers a file named Sriguoei4.zip. Similarly, the spoofed Gmail page at ggyxx.wenxinzhineng[.]top<\/code> tricks users into downloading Goongeurut.zip, which installs a fake application called \u201cGmail Notifier Pro.\u201d<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhecSeNBzMsqdXuME965NxcsscW66xfFy1OSvsdyCazJpERrN9YQUVT0PC3TkF7jDzVCyrAfnJr7uVIYbudx1wEAngSqkbXcvIvcoVJVyHYa96yyyNBnlAoFVwPU5YG9_v2xA8tFl3GLB6pHPn7BB5TsH6gl74E6WVMmPTpuiO3LZfQesPFpIIruPYwm8M\/s16000\/Fake%2520Gmail%2520login%2520page%2520%28Source%2520-%2520Hunt.io%29.webp?ssl=1\")
Execution and System Modification<\/strong><\/h2>\n
powershell -Command \"Add-MpPreference -ExclusionPath 'C:'\"<\/code><\/pre>\nC:UsersuserAppDataRoaming41d8a4fa27e8d998445c22590e5b2cb4562svrnezcm.exe<\/code><\/pre>\nzhzcm.star1ine[.]com<\/code> and outbound TCP connections to 8.210.9[.]4<\/code> on port 45 suggest data exfiltration or remote control activities.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh65YsaZeSKBG14iHI5WFlz86Ur0byCWBkABqOdkQN7eys0AXOvJE85__ws1eEwMRNr1i6rnepU0L7O5OwDI00mivOkhvE-TYJgEAjSmijLK_cC0VpLdpGY4qgsxbbbSULMpBhhRp89rIZ6b8ilu7w2dQtb9aSPN9WldRnqFxujWGXpod87gAR8xbjHRZo\/s16000\/Domain%2520Overview%2520%28Source%2520-%2520Hunt.io%29.webp?ssl=1\")
47.243.192[.]62<\/code>, which resolves to multiple malicious domains.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhGptvOGFB3oPc5Xdg19XGvGIizvpP-crTOCBUo8gTA9H-P6BPHOyYoL9qVjpFvpQfpFTGAZI8ZAQJ3q5Miwq8WOPvtXYJkSBi81thsL6iG4D0H6prjFoow4AyU_B-DqnaVEjQIc3YQjn2DsnNmWh-Zu4rfjPnCzFHszu6jOwqAowYX1VE9V6uqSAApt-g\/s16000\/Fake%2520Signal%2520Page%2520%28Source%2520-%2520Hunt.io%29.webp?ssl=1\")
Investigate Real-World Malicious Links & Phishing Attacks With\u00a0Threat Intelligence Lookup<\/strong>\u00a0-\u00a0Try for Free<\/a><\/code><\/strong><\/code><\/strong><\/p>\n