Chinese Malware Exploits GitHub Pages to Target Developers

Chinese users downloading popular browsers and communication software are being targeted by malware variants that grant remote access capabilities. Multiple cybersecurity organizations, including Fortinet FortiGuard Labs and Zscaler ThreatLabz, have reported these activities.

Fortinet discovered an SEO poisoning campaign delivering two Remote Access Trojans (RATs) - HiddenGh0st and Winos, both variants of the notorious Gh0st RAT. The attackers created spoofed download pages for programs like DeepL Translate, Google Chrome, Signal, Telegram, WhatsApp, and WPS Office on typosquatted domains.

They manipulated search rankings using various SEO plugins to mislead users searching for these programs into visiting the wrong sites. The downloads appear to deploy the desired program, but the installer is trojanized, also delivering one of the mentioned trojans.

Meanwhile, Zscaler researchers observed a previously unknown trojan, kkRAT, being disseminated. This campaign began in May and includes Winos and FatalRAT. kkRAT's code is similar to Gh0st RAT and Big Bad Wolf, employing a network communication protocol with an added encryption layer after data compression.

The trojan can disable antivirus software before executing malicious activities, targeting solutions like 360 Internet Security suite, 360 Total Security, and HeroBravo System Diagnostics suite. Unlike Fortinet's discovery, this campaign uses GitHub pages, leveraging the platform's community trust to distribute the trojans. The GitHub account used has since been terminated.