The Silver Fox APT group has been linked to a number of targeted phishing campaigns in Taiwan, according to FortiGuard Labs. To trick victims into downloading malware, the operations use phony tax software installers, e-invoice notifications, and tax audits. In the end, the campaigns install malicious plugins made for long-term control and defense evasion along with Winos 4.0, commonly referred to as ValleyRat.

Researchers found that static domain blocking is useless because attackers use cloud hosting services and rotate domains to disseminate payloads. Malicious LNK files, DLL sideloading via trustworthy applications, and Bring Your Own Vulnerable Driver (BYOVD) methods utilizing a signed kernel driver called wsftprm.sys are among the delivery methods discovered during the last two months.

Phishing Delivery and DLL Sideloading on the Attacker's Domain (Source: Fortinet) In one campaign, victims were sent a RAR file called "taxIs_RX3001.rar," which contained a malicious shortcut file and a fake document. The LNK downloaded a second-stage installer from a distant domain, copied the genuine curl.exe utility under a different file name, and used cmd.exe to run obfuscated commands. In order to get the system ready for the deployment of Windows 4.0, this installer extracted an embedded executable into C:\ProgramData\Golden.

Use LNK and social engineering spoofs to archive content (Source: fortinet). In a second campaign, DLL sideloading took the place of LNK downloaders. Attackers disseminated archives that included a malicious DLL and a genuine executable. The next stage of infection began when the trusted application loaded the DLL under the attacker's control.

Internal project names in Chinese were discovered through debug path analysis within the DLL, indicating structured development processes within the Silver Fox team. The command-and-control (C2) server infrastructure is ultimately linked to both infection chains. Security Evasion and BYOVD Winos 4.0 verifies administrative privileges prior to launching its main payload.

If required, it uses a debug-object-hijacking method involving computerdefaults.exe and RPC AppInfo calls to get around User Account Control (UAC). BYOVD is the most prominent strategy. To obtain kernel-level access, the malware loads wsftprm.sys, a validly signed but weak driver. The malware gets around standard monitoring controls by dynamically calling native APIs like NtLoadDriver and RtlAdjustPrivilege from ntdll.dll.

The downloaded executable's resources (Source: fortinet) After that, it examines registry settings pertaining to the Windows Vulnerable Driver Blocklist and makes the necessary adjustments. The malware scans active processes with kernel privileges. Avast, AVG, Microsoft Defender (MsMpEng.exe), and a number of Chinese security tools are among the security products that are terminated.

The binary encodes the C2 address using Base64. Winos 4.0 allows file management, screen capture, remote control, and system management without writing new files to disk by downloading extra plugins straight into the Windows registry after it has been connected. Shared domain registration information and development machine identifiers connecting the campaigns to earlier Silver Fox operations were found through infrastructure analysis. With a high degree of confidence, researchers conclude that these actions represent a concerted, dynamic endeavor by a specialized subgroup within the threat actor.

Organizations are advised to use caution when handling tax-related attachments and invoice links, activate driver blocklists, and keep an eye out for any unauthorized driver loading or suspicious DLL sideloading, according to Fortinet.