FatalRAT Phishing Campaign Hits APAC Industries via Chinese Cloud Platforms

Industrial organizations across the Asia-Pacific (APAC) region have been targeted in phishing attacks aimed at delivering the FatalRAT malware.

According to a report from Kaspersky ICS CERT, attackers leveraged legitimate Chinese cloud services, including the MyQcloud content delivery network (CDN) and Youdao Cloud Notes, as part of their attack infrastructure. “The attackers employed a sophisticated multi-stage payload delivery framework to evade detection,” the report stated.

The campaign has primarily targeted government agencies and industrial sectors, including manufacturing, construction, IT, telecommunications, healthcare, energy, logistics, and transportation, across Taiwan, Malaysia, China, Japan, Thailand, South Korea, Singapore, the Philippines, Vietnam, and Hong Kong. The use of Chinese-language lure attachments suggests the attackers were specifically targeting Chinese-speaking individuals.

Previous FatalRAT campaigns have also used fake Google Ads as a distribution method. In September 2023, Proofpoint identified a phishing campaign that delivered various malware families, including FatalRAT, Gh0st RAT, Purple Fox, and ValleyRAT. Notably, these campaigns have primarily targeted Chinese-language speakers and Japanese organizations, with some activity attributed to the Silver Fox APT threat group.

The attack begins with a phishing email containing a ZIP archive with a Chinese-language filename. When executed, it launches a first-stage loader, which then contacts Youdao Cloud Notes to retrieve a DLL file and a FatalRAT configurator. The configurator downloads another note from note.youdao[.]com to obtain configuration details and opens a decoy file to avoid suspicion.

The DLL acts as a second-stage loader, downloading and installing the FatalRAT payload from a server hosted on myqcloud[.]com while displaying a fake error message to mask its activity. A key aspect of the attack is the use of DLL side-loading techniques to execute the multi-stage infection process while maintaining persistence.

“The threat actor employs a ‘black and white’ method, using legitimate binaries to blend malicious activity with normal system operations,” Kaspersky explained. “They also leverage DLL side-loading to hide the malware within legitimate process memory.”

FatalRAT includes 17 checks to detect whether it’s running in a virtual machine or sandboxed environment. If any check fails, the malware halts execution. Additionally, it terminates all rundll32.exe instances, collects system and security software information, and awaits further commands from a command-and-control (C2) server.

This highly capable trojan can log keystrokes, corrupt the Master Boot Record (MBR), manipulate screen settings, search and delete user data in browsers like Google Chrome and Internet Explorer, download remote administration tools like AnyDesk and UltraViewer, perform file operations, start/stop a proxy, and terminate arbitrary processes.

The identity of the attackers remains unknown, but similarities with past campaigns suggest a connection between different attack series. Kaspersky assesses with medium confidence that a Chinese-speaking threat actor is behind these attacks.

“FatalRAT grants attackers near-unlimited capabilities, from spreading through networks and deploying remote access tools to stealing and deleting sensitive data,” researchers noted. “The consistent use of Chinese-language services and infrastructure at multiple attack stages suggests a Chinese-speaking actor may be responsible.”