Chinese state-sponsored hackers may be impersonating antivirus provider McAfee in order to trick high-profile targets into downloading malware.
The suspected Chinese hacking group, APT 31, has been resorting to the tactic, according to Google’s security team. Back in June, the company’s security researchers reported that APT 31 had been targeting Joe Biden’s Presidential campaign by sending phishing emails to his staff. The goal was to hijack their personal email accounts, but Google says the phishing attempts all appear to have failed.
On Friday, the company provided an update on APT 31’s activities. Google’s security team has spotted the hackers emailing links designed to ultimately download malware hosted over Github, the software development platform.
Specifically, the Window-based malware is built using the Python computing language. The hacker can then control the malicious code using the free cloud storage service Dropbox.
“(The malware) would allow the attacker to upload and download files as well as execute arbitrary commands,” wrote Google security researcher Shane Huntley in the blog post. “Every malicious piece of this attack was hosted on legitimate services, making it harder for defenders to rely on network signals for detection.”
Huntley then went on to say one phishing technique from APT 31 involved posing as antivirus provider McAfee. “The targets would be prompted to install a legitimate version of McAfee anti-virus software from GitHub, while malware was simultaneously silently installed to the system,” he said.
Posing as McAfee is pretty devious given that the company is a well-known name in cybersecurity. But the tactic isn’t surprising either. State-sponsored hackers often pretend to be major internet and software providers in order to trick victims into opening their phishing emails.
However, Google has some anti-phishing safeguards in place to filter out the malicious attacks. In the event the company detects a state-sponsored hacking group targeting a user, it will also send a warning about the phishing attempt and explain that a foreign government may be behind it.
According to Huntley, Google has shared its findings about the APT 31-sponsored attacks with the FBI. Last month, Microsoft also reported the same Chinese hacking group preying on the Biden campaign and at least one individual formerly associated with the Trump administration. Other targets include officials, academics and organizations involved in international affairs.
"We’ve detected thousands of attacks from Zirconium (APT 31) between March 2020 and September 2020 resulting in nearly 150 compromises," Microsoft said at the time without elaborating.