Chinese threat actors, identified as Silver Fox, are actively targeting Indian organizations with sophisticated phishing campaigns designed to impersonate legitimate Income Tax Department communications. These attacks, aimed at stealing sensitive data and infiltrating systems, leverage deceptive emails containing malicious attachments disguised as tax-related documents, posing a significant risk to businesses and their financial information.
The campaign begins with seemingly official emails that include a PDF attachment bearing an Indian company’s name. Upon opening, this PDF redirects victims to a malicious website where they are prompted to download an executable file named “tax_affairs.exe.” This initial payload acts as a loader, initiating a multi-stage infection chain that aims to bypass standard security measures and establish persistent access to compromised systems. The method highlights a troubling trend of attackers exploiting social engineering tactics combined with trusted file formats to circumvent traditional cybersecurity defenses.
Silver Fox Hackers Exploit DLL Hijacking for Stealthy Infiltration
The infection chain employed by Silver Fox hackers relies heavily on a technique known as DLL hijacking to stealthily activate the core malware. The initial stage involves dropping a legitimate executable, Thunder.exe, developed by the Chinese software company Xunlei. This signed binary is weaponized by the attackers through the placement of a malicious DLL file, named libexpat.dll, within the same temporary directory. Consequently, when Thunder.exe is executed, the Windows operating system, following its default DLL search order, loads the attacker-controlled fake DLL instead of the genuine one. This allows the malicious code to run undetected, appearing entirely legitimate to system processes.
Upon activation, the malicious DLL exhibits advanced anti-analysis capabilities. It meticulously scans for running processes associated with security research tools and sandboxes, aiming to detect any attempts at reverse engineering or behavioral analysis. Furthermore, it verifies system resources to ensure the target machine meets specific infection requirements. If any analytical tools are detected, the malware self-terminates, evading discovery. Once these checks pass, the DLL proceeds to disable Windows Update services and loads an encrypted file, box.ini, from the temporary directory.
This encrypted payload is subsequently decrypted using hardcoded cryptographic keys. The decrypted code is then executed directly in system memory as raw machine code, a technique that significantly minimizes forensic traces left on the compromised system’s hard drive. This highly evasive approach makes it challenging for security teams to detect and analyze the infection after the fact, underscoring the sophistication of the Silver Fox attack campaign.
The ultimate payload delivered by this multi-stage attack is Valley RAT, a potent remote access tool designed to establish a persistent command and control (C2) infrastructure. Valley RAT employs a robust three-tier failover system to ensure continuous communication with attacker-controlled servers. If a primary connection fails, the malware automatically switches to secondary and tertiary C2 servers. This resilience makes it difficult to disrupt the attackers’ ability to manage compromised systems.
For enhanced stealth and operational flexibility, the malware stores its configuration, including C2 addresses, within the Windows registry as binary data. This allows attackers to remotely update connection details without needing to reinstall the malware. Valley RAT supports a variety of communication protocols, including HTTP, HTTPS, and raw TCP sockets, presenting a significant challenge for network-based defenses that typically rely on simple filtering rules. Once operational, Valley RAT possesses extensive capabilities, including executing arbitrary attacker commands, capturing keystrokes, harvesting credentials, transferring files, and deploying additional malicious modules as needed.
The modular nature of Valley RAT allows Silver Fox operators to tailor each infection to the specific characteristics and value of the targeted organization. This capability makes it a particularly dangerous threat to Indian enterprises, as attackers can customize their intrusions to maximize data exfiltration and operational disruption. The ongoing analysis by cybersecurity researchers aims to provide Indian organizations with timely intelligence to bolster their defenses against this evolving threat landscape.