Follow on X RSS Feed
Malware

FatalRAT Phishing Attacks Targeting APAC Industrial Sectors

Cybersec Sentinel

2 min read
FatalRAT Phishing Attacks Targeting APAC Industrial Sectors

Threat Group: Unattributed Chinese-speaking Threat Actors
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: No specific software vulnerabilities exploited; relies on social engineering and phishing techniques
Malware Used: FatalRAT
Threat Score: High (8.5/10) – Due to its sophisticated multi-stage infection chain, targeting of critical industrial sectors, and advanced evasion techniques.
Last Threat Observation: February 25, 2025

Overview

A recent wave of phishing attacks has been identified, targeting industrial organizations across the Asia-Pacific (APAC) region. These attacks deploy a sophisticated Remote Access Trojan (RAT) known as FatalRAT. The campaign leverages legitimate Chinese cloud services, such as myqcloud and Youdao Cloud Notes, to distribute malicious payloads, thereby evading traditional security measures. Industries affected include manufacturing, construction, information technology, telecommunications, healthcare, power and energy, and large-scale logistics and transportation. The attackers employ a complex, multi-stage infection chain, making detection and mitigation challenging.

Key Details

  • Delivery Method: Phishing emails and messages via platforms like WeChat and Telegram, containing malicious ZIP archives disguised as legitimate documents (e.g., tax filings, invoices).
  • Target: Industrial organizations in APAC, specifically those with Chinese-speaking personnel.
  • Functions:
    • Keylogging
    • System reconnaissance
    • Data exfiltration
    • Remote command execution
    • Master Boot Record (MBR) corruption
  • Obfuscation: Utilization of legitimate Chinese cloud services for payload delivery; multi-stage loaders with dynamic command-and-control (C2) configurations; DLL sideloading techniques.

Attack Vectors

The attack initiates with phishing communications containing ZIP archives named to suggest official or financial content. Upon extraction and execution, the first-stage loader contacts Youdao Cloud Notes to retrieve additional malicious components. Subsequent stages involve downloading and executing configurator and loader DLLs, which then deploy the FatalRAT payload. The malware employs DLL sideloading, injecting malicious code into legitimate processes to avoid detection. Throughout this process, the malware dynamically updates its C2 server addresses, maintaining persistence and complicating mitigation efforts.

Known Indicators of Compromise (IoCs)

File Hashes (SHA256):

  • e52af19dce25d51f9cf258613988b8edc583f7c7e134d3e1b834d9aab9c7c4c4
  • dc026cd76891d1f84f44f6789ac0145a458e2c704a7bc50590ec08966578edb3
  • cb450f82c49eadd597a87645f9f30c52c03c6ed9425386af5b321664fe3a6da0
  • 210990e36122e0facc7c74373569f052fa0651ab06644330fe00b685793ee0fd
  • 34f37327a0154d644854a723e0557c733931e2366a19bdb4cfe6f6ae6770c50f
  • ec0dcfe2d8380a4bafadb3ed73b546cbf73ef78f893e32202042a5818b67ce56
  • b01719e59675236df1a0e1a78cdd97455c0cf18426c7ec0f52df1f3a78209f65
  • 72cd668d9bc442f522556807390d4f7e32966bef20ef1a831bf36a5ab213191e
  • 1cabdb7ab1cbd0526498d15839c780850a41a8c917b65581fad9e7dbdedd5e0f
  • 5453911d6f597d65ab542ec25723a7d87b2292c2e2a52a40d3a32032f6117acd
  • 826d07108a1223140e6a58b44722404009ac2e82df0acfd7d1f5bf29b56526b6
  • 337841b5ade52ba853a30eb8ab04dede64d89808893fb6e04122479502951528
  • 17075832426b085743c2ba811690b525cf8d486da127edc030f28bb3e10e0734

IP Addresses (Defanged):

  • 103[.]119[.]44[.]152
  • 103[.]119[.]44[.]93
  • 103[.]119[.]44[.]100

Domains (Defanged):

  • myqcloud[.]com
  • note.youdao[.]com

SIEM Queries for Threat Hunting

The following are example queries for popular SIEM tools. These queries should be adjusted to suit your specific indexes and sourcetypes.

Splunk Query:

index=* (source_ip="103.119.44.152" OR source_ip="103.119.44.93" OR source_ip="103.119.44.100")
    OR (url="myqcloud.com" OR url="note.youdao.com")
    OR (file_hash="e52af19dce25d51f9cf258613988b8edc583f7c7e134d3e1b834d9aab9c7c4c4")

Elastic Query:

query: "103.119.44.152 OR 103.119.44.93 OR 103.119.44.100 OR myqcloud.com OR note.youdao.com OR e52af19dce25d51f9cf258613988b8edc583f7c7e134d3e1b834d9aab9c7c4c4"

Conclusion

The emergence of FatalRAT underscores the evolving landscape of cyber threats targeting industrial sectors. The attackers' strategic use of legitimate services and complex infection chains necessitates heightened vigilance and robust security measures. Organizations must prioritize cybersecurity awareness, implement stringent access controls, and maintain up-to-date defenses to effectively counter such sophisticated threats.

Sources: