Chinese users looking for VPN products, AI tools and adult content are being targeted by a new campaign that aims to spread a backdoor called Winos.
A new report from Trend Micro claims that a new threat cluster called Void Arachne is behind the campaign, and that the malware could lead to “full system compromise.”
Trend Micro researchers said they discovered this new group in early April 2024 after noticing increased attacks on Chinese-speaking users.
Telegram channels and SEO poisoning
To deliver Winos, they did a few different things. To start, they created MSI files (Windows Installer Package files used by Windows to install, save, and uninstall programs) that, on the surface, installed legitimate software. Victims would get Chinese-marketed Virtual Private Network (VPN) solutions such as LetsVPN and QuickVPN, simplified Chinese versions of Google Chrome, zh-CN (Simplified Chinese) language packs and more, but these programs would also come bundled with Winos .
Additionally, the threat actors also created nudifiers (if you’re not familiar with the term, a “nudifier” is a piece of software that can manipulate images to make subjects appear naked) and distributed deepfake pornography-generating AI software.
When it comes to advertising this software, Void Arachne did two things: go to Telegram and poison the search engine results.
During the campaign, Trend Micro researchers said they saw several Telegram channels being used to share the malicious installation files.
“We also saw attacker-controlled web servers spreading malicious files via search engine optimization (SEO) poisoning attacks,” they said.
When you search for a keyword on Google, the search engine sorts the results based on a number of factors, including how many articles used a specific link as a source of information. So the attackers would host the malware on a website and then generate numerous articles and blog posts linking to that website, essentially tricking Google into thinking the site has authority.
Google would then show that site on the search engine results page (SERP), essentially presenting its users with malware.