Search Engine Manipulation Leads to Backdoored App Downloads

Threat hunters at Hunt.io have uncovered a widespread malware campaign targeting Chinese-speaking users by distributing backdoored versions of popular messaging applications, including Signal, Line, and Gmail. Attackers are leveraging search engine manipulation to deceive users into downloading malicious files from fraudulent websites.

Instead of using traditional phishing techniques that mimic official domains, the attackers rely on generic-looking hostnames to push malicious downloads. According to Hunt.io, “multiple fake download pages deliver backdoored executables for Signal, Line, and Gmail.” These domains include:

• Signal: z1.xiaowu[.]pw
• Line: linoo.wenxinzhineng[.]top & linegut[.]com
• Gmail: ggyxx.wenxinzhineng[.]top

All identified domains are hosted on the same Alibaba (US) Technology Co., Ltd. server in Hong Kong, suggesting a centralized infrastructure behind the campaign.

When unsuspecting users download and execute the backdoored software, the malware deploys a multi-stage infection process:

1. Initial Execution & File Dropping:
   • A Windows executable is executed from a ZIP file, dropping temporary files in the AppData\Local\Temp folder.
2. Process Injection & Defense Evasion:
   • The dropped file spawns svrnezc.exe, which modifies Windows Defender settings to exclude critical directories from scans.
3. Network Communications & Data Exfiltration:
   • The malware establishes connections to zhzcm.star1ine[.]com and other Command-and-Control (C2) servers.

Hunt.io notes that “the observed malware modifies system defenses and establishes outbound TCP connections to 8.210.9[.]4 on port 45, likely for data exfiltration.”

Interestingly, the campaign also spoofs Google Translate (sigkiti[.]com) and BitBrowser (zhiwen.wenxinzhineng[.]top) to further deceive Chinese-speaking users. The fake Google Translate page tricks users into downloading a fake Flash update, leading to an additional malware infection.

Hunt.io explains, “When attempting to switch to the English language version of the site, the user is redirected to the legitimate BitBrowser website,” reinforcing our assumption that Chinese-speaking users are the primary targets.

Users are urged to exercise caution when downloading software and to verify the legitimacy of websites before providing any information or downloading files. The Hunt.io report provides valuable indicators of compromise that can help individuals and security teams detect and prevent these infections.

Related Posts:

• Trusted Name Weaponized: Sliver and Ligolo-ng Attack Leverages Y Combinator Brand
• SparkRAT: A Persistent Cross-Platform Cyber Threat Targeting macOS and Beyond
• GreenSpot APT Phishes 163.com Users with Spoofed Domains
• Beyond Breaches: 2024’s Cyber War – Extortion, Manipulation, and New Battlegrounds