Weaponized Signal, Line, and Gmail Apps Delivers Malware That Changes System Defenses

A sophisticated cyberattack campaign targeting Chinese-speaking users, malicious actors have weaponized fake versions of popular applications such as Signal, Line, and Gmail. These fake and weaponized apps are distributed via deceptive download pages that deliver malware capable of altering system defenses, evading detection, and exfiltrating sensitive data. The attackers exploit search engine manipulation to push […] The post Weaponized Signal, Line, and Gmail Apps Delivers Malware That Changes System Defenses appeared first on Cyber Security News.

Feb 19, 2025 - 10:09
 0
Weaponized Signal, Line, and Gmail Apps Delivers Malware That Changes System Defenses

A sophisticated cyberattack campaign targeting Chinese-speaking users, malicious actors have weaponized fake versions of popular applications such as Signal, Line, and Gmail.

These fake and weaponized apps are distributed via deceptive download pages that deliver malware capable of altering system defenses, evading detection, and exfiltrating sensitive data.

The attackers exploit search engine manipulation to push fraudulent websites that mimic legitimate software sources, luring unsuspecting users into downloading compromised executables.

The malicious files are typically delivered in ZIP archives containing Windows executables. Upon execution, the malware follows a consistent pattern: extracting temporary files, injecting processes, modifying security settings, and establishing network communications.

Researchers at Hunt.io noted that the fake Signal download page at z1.xiaowu[.]pw delivers a file named Sriguoei4.zip. Similarly, the spoofed Gmail page at ggyxx.wenxinzhineng[.]top tricks users into downloading Goongeurut.zip, which installs a fake application called “Gmail Notifier Pro.”

Fake Gmail login page (Source – Hunt.io)

Execution and System Modification

Once executed, the malware employs advanced techniques to manipulate system defenses.

One notable example involves the use of PowerShell commands to disable Windows Defender by excluding the entire C: drive from scanning.

The command used is as follows:

powershell -Command "Add-MpPreference -ExclusionPath 'C:\'"

This effectively renders the system vulnerable to further exploitation. The malware also drops a secondary executable, such as svrnezcm.exe, into deeply nested directories within the AppData folder:

C:\Users\user\AppData\Roaming\41d8a4f\a27e8d998\445c22590\e5b2cb4562\svrnezcm.exe

This executable spawns additional processes and communicates with command-and-control (C2) servers hosted on Alibaba infrastructure in Hong Kong.

For example, DNS queries to zhzcm.star1ine[.]com and outbound TCP connections to 8.210.9[.]4 on port 45 suggest data exfiltration or remote control activities.

Domain Overview (Source – Hunt.io)

The campaign relies on centralized infrastructure hosted at IP address 47.243.192[.]62, which resolves to multiple malicious domains.

The attackers also utilize Let’s Encrypt TLS certificates to secure their spoofed websites, adding a layer of credibility to their operations.

Fake Signal Page (Source – Hunt.io)

This campaign shows the importance of verifying software sources and avoiding unofficial download sites.

Users should remain vigilant against suspicious domains and rely on trusted platforms for software installations to mitigate such threats effectively.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The post Weaponized Signal, Line, and Gmail Apps Delivers Malware That Changes System Defenses appeared first on Cyber Security News.