Summary:
The CleverSoar installer is a sophisticated malware targeting Chinese and Vietnamese-speaking users, deploying the Nidhogg rootkit and Winos4.0 framework for espionage activities. It employs advanced evasion techniques to ensure successful infection and maintain persistence. This campaign highlights a significant threat to individual users and potentially organizations in the targeted regions.
#CleverSoar #Nidhogg #Winos4.0
The CleverSoar installer is a sophisticated malware targeting Chinese and Vietnamese-speaking users, deploying the Nidhogg rootkit and Winos4.0 framework for espionage activities. It employs advanced evasion techniques to ensure successful infection and maintain persistence. This campaign highlights a significant threat to individual users and potentially organizations in the targeted regions.
#CleverSoar #Nidhogg #Winos4.0
Keypoints:
New malware installer named ‘CleverSoar’ identified targeting Chinese and Vietnamese-speaking victims.
Deploys Nidhogg rootkit and Winos4.0 framework for keystroke logging and data exfiltration.
Installer checks user language settings to ensure it only infects targeted regions.
Initial version uploaded to VirusTotal in July 2024, with distribution peaking in November.
Utilizes advanced evasion techniques to bypass security measures and maintain persistence.
Malware creates services and scheduled tasks to ensure continuous operation and control.
Rapid7 Labs suggests potential links to previous campaigns like ValleyRAT.
Organizations in affected regions should monitor for suspicious activities related to these TTPs.
MITRE Techniques
Command and Control (T1105): Utilizes a command-and-control framework for remote communication.
Bypass User Account Control (T1562.001): Disables security solutions to facilitate infection.
Check System Language (T1614.001): Verifies system language to target specific regions.
Executable File Creation (T1218.007): Drops malicious files using a .msi installer.
Process Injection (T1055): Writes into the lsass.exe process to execute malicious payloads.
Create or Modify System Process (T1569.002): Creates a service to run the CleverSoar driver at startup.
Scheduled Task (T1053): Creates a scheduled task for persistence upon user login.
Disable Security Tools (T1562.004): Turns off Windows firewall to facilitate further actions.
Modify Registry (T1112): Creates registry keys to store user information for further exploitation.
Anti-Debugging (T1622): Implements checks to prevent debugging and analysis of the malware.
IoC:
[file hash] F70b34e2b1716528a3c3fffdbfc008003b9685f1a4da2e5a6052612de92b0c68
[ip address] 156.224.26.7
[file name] 8848.twilight.zip
Full Research: https://blog.rapid7.com/2024/11/27/new-cleversoar-installer-targets-chinese-and-vietnamese-users/