China-Based Silver Fox Group Spreads Malware via Tax and Software Threats in Asia
Silver Fox Group Expands Malware Campaign Across Asia
The Silver Fox Group, a China-based threat group, has escalated its malicious activities across Asia, employing sophisticated phishing tactics to compromise user systems.
- Fake tax audit notifications and counterfeit software update alerts are used to deceive victims into installing malware.
- The group has been active since at least 2022, initially focusing on financially motivated attacks primarily targeting Chinese users.
- However, the group has since expanded its scope, incorporating espionage and profit-driven campaigns into its operations.
- Its influence has spread beyond China, with notable activity detected in Taiwan, Japan, and Southeast Asian countries such as Malaysia, Indonesia, Singapore, Thailand, and the Philippines.
Methods Used by Silver Fox
The group’s phishing campaigns often impersonate government agencies, such as the National Tax Bureau in Taiwan, to create a sense of urgency and authenticity among victims.
According to researchers, “The group’s phishing campaigns often impersonate government agencies, such as the National Tax Bureau in Taiwan, to create a sense of urgency and authenticity among victims.”
Targets receive emails that appear to be routine tax audit notices or software update reminders, which upon opening, lead to the installation of malware or the delivery of second-stage payloads from cloud storage infrastructure.
Tactics Employed by the Group
- Loading older, legitimately signed Windows drivers with known security flaws and exploiting them to disable antivirus and endpoint detection and response tools.
- Utilizing a Python-based information stealer to collect sensitive files and upload them to attacker-controlled servers, leaving behind digital breadcrumbs and communicating with remotely hosted upload scripts.
Recommendations for Countermeasures
Organizations are advised to implement enhanced security measures, including:
- Strengthening filtering and monitoring of spoofed domains.
- Ensuring kernel-level Endpoint Detection and Response (EDR) protection.
- Applying application whitelisting.
- Educating employees in high-risk sectors to recognize phishing attempts during tax season.
About Author
English