Chinese hackers use McAfee antivirus for spreading the malware
According to Google, hackers linked to the Chinese government are using legitimate McAfee security solutions to distribute malware.
This appears to be the same hacker group that earlier this year tried unsuccessfully to attack the campaign headquarters of former US Vice President Joe Biden.
However, according to the head of Google Threat Analysis Group Shane Huntley, there is no evidence that phishing attacks have been successful.
“From the beginning of the campaign, we knew that we would become the target for such attacks, and properly prepared,” – said in the Biden’s headquarter.
The APT31 group sends its victims emails with a link leading to GitHub, from where malware is downloaded onto the system, allowing attackers to upload and download files, as well as execute commands. Since cybercriminals use servers like GitHub and Dropbox, they are more difficult to track.
According to Shane Huntley, every piece of malware used in an attack is stored on a legitimate resource, making it harder for defenders to rely on network signals to track attackers.
In the case of APT31, the recipient of the phishing email is prompted to download and install legitimate McAfee antivirus software from GitHub, but it also installs malware on its system without the victim’s awareness.
The malware is an implant written in the Python programming language that uses Dropbox as a C&C.
The researcher did not specify who were the victims of the latest APT31 attacks, but reported about “increased attention to threats posed by APT in the context of the US elections.”
“Overall, we’ve seen increased attention on the threats posed by APTs in the context of the U.S. election. U.S government agencies have warned about different threat actors, and we’ve worked closely with those agencies and others in the tech industry to share leads and intelligence about what we’re seeing across the ecosystem. This has resulted in action on our platforms, as well as others”, — write Google Threat Analysis Group specialists.
According to experts from the Google Threat Analysis Group, when they discover that a user is being attacked by a government hacker group, they send him a warning. Google specialists also share their findings with the FBI.
There is some grace and even a challenge to antivirus companies in using antivirus products to spread malware. For example, we talked about the fact that attackers can use Microsoft Defender to download viruses and also about the fake version of Malwerbytes antivirus. However, all this does not negate the criminal nature of such actions.