EXECUTIVE SUMMARY:
A multi-stage malware campaign has been observed leveraging search engine optimization (SEO) poisoning to target Chinese-speaking developers and IT professionals. The attackers manipulate search engine rankings to position malicious websites as legitimate sources for popular software tools, including SSH clients and VPN applications. Unsuspecting users searching for these tools are redirected to convincing lookalike domains that host trojanized installers. Once downloaded and executed, these installers initiate the deployment of a remote access trojan known as Kong RAT, enabling attackers to gain unauthorized access to infected systems and maintain persistence.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A multi-stage malware campaign has been observed leveraging search engine optimization (SEO) poisoning to target Chinese-speaking developers and IT professionals. The attackers manipulate search engine rankings to position malicious websites as legitimate sources for popular software tools, including SSH clients and VPN applications. Unsuspecting users searching for these tools are redirected to convincing lookalike domains that host trojanized installers. Once downloaded and executed, these installers initiate the deployment of a remote access trojan known as Kong RAT, enabling attackers to gain unauthorized access to infected systems and maintain persistence.[emaillocker id="1283"]
The infection process follows a complex, multi-stage execution chain designed to evade detection and maintain persistence. After initial execution, a NativeAOT-compiled dropper is deployed to hinder traditional analysis techniques, followed by in-memory payload execution and DLL sideloading using legitimate signed binaries. The malware leverages advanced evasion methods such as UAC bypass, PEB masquerading, and indirect shellcode execution to avoid security monitoring. Persistence is established through scheduled tasks created via low-level RPC calls, while registry modifications store configuration data. The final payload, Kong RAT, enables extensive capabilities including keylogging, remote command execution, plugin-based modular expansion, and communication with command-and-control infrastructure over a custom TCP protocol. Additionally, the malware gathers system and security telemetry, including geolocation and installed defenses, to enhance attacker visibility and control.
It demonstrates how search engine manipulation combined with advanced malware delivery techniques can effectively target technical users seeking trusted software. The layered execution chain, persistence methods, and remote access capabilities make Kong RAT a significant threat to organizations and individuals alike. Users should only download software from verified official sources, monitor for suspicious scheduled tasks or unusual network traffic, and apply layered endpoint defenses to reduce exposure to such attacks.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| T1583.006 | Web Services | ||
| Initial Access | T1189 | Drive-by Compromise | - |
| T1566.002 | Phishing | Spearphishing Link | |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.001 | Command and Scripting Interpreter | PowerShell | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1548.002 | Abuse Elevation Control Mechanism | Bypass User Account Control |
| Defense Evasion | T1218.011 | System Binary Proxy Execution | Rundll32 |
| T1027.001 | Obfuscated Files or Information | Binary Padding | |
| Discovery | T1082 | System Information Discovery | - |
| T1016.001 | System Network Configuration Discovery | Internet Connection Discovery | |
| Collection | T1005 | Data from Local System | - |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1105 | Ingress Tool Transfer | - | |
| Impact | T1486 | Data Encrypted for Impact | - |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Anti-Behavioral Analysis | B0003 | Dynamic Analysis Evasion |
| B0007 | Sandbox Detection | |
| B0009 | Virtual Machine Detection | |
| Anti-Static Analysis | B0012 | Disassembler Evasion |
| B0032 | Executable Code Obfuscation | |
| E1027 | Obfuscated Files or Information | |
| Collection | F0002 | Keylogging |
| E1056 | Input Capture | |
| E1113 | Screen Capture | |
| Command and Control | B0030 | C2 Communication |
| Defense Evasion | B0025 | Conditional Execution |
| B0027 | Alternative Installation Location | |
| B0040 | Covert Location | |
| E1055 | Process Injection | |
| E1564 | Hide Artifacts | |
| F0001 | Software Packing | |
| F0004 | Disable or Evade Security Tools | |
| F0005 | Hidden Files and Directories | |
| F0015 | Hijack Execution Flow | |
| Discovery | B0013 | Analysis Tool Discovery |
| B0038 | Self Discovery | |
| E1082 | System Information Discovery | |
| Execution | E1059 | Command and Scripting Interpreter |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| F0013 | Bootkit |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/kong-rat-seo-poisoning-nativeaot-malware-analysis/
[/emaillocker]