A highly sophisticated malware campaign is targeting Chinese and Vietnamese-speaking users. The malware CleverSoar serves as an installer for a suite of malicious tools, including the Winos4.0 framework and Nidhogg rootkit. It grants attackers advanced capabilities such as keystroke logging, data theft, security bypassing, and covert system control.
Researchers believe this campaign is likely an espionage operation characterised by persistence and complexity.
The CleverSoar malware is distributed via a .msi installer package, masquerading as legitimate software, potentially gaming-related applications. Once executed, the package extracts the CleverSoar installer, which begins by verifying the system’s language settings.
The malware terminates if the settings do not correspond to Chinese or Vietnamese, indicating its selective targeting.
CleverSoar employs a series of advanced evasion techniques to avoid detection and analysis. It uses firmware-based methods to detect virtualised environments, disabling itself if it identifies virtualisation artifacts. Additionally, the malware bypasses Windows Defender and other security tools by exploiting emulators and process-checking vulnerabilities.
To further complicate detection, CleverSoar blocks third-party DLL injections and manipulates process mitigation policies, ensuring its malicious components operate without interference.
Once environmental checks are satisfied, CleverSoar installs multiple payloads. It integrates the Nidhogg rootkit to secure persistent control and deploys the Winos4.0 framework, a command-and-control implant for sustained system compromise.
The malware also establishes backdoors and concealed services to execute commands and evade monitoring. CleverSoar even disables Windows Firewall and terminates processes associated with well-known antivirus tools, including McAfee, Kaspersky, and ESET, to neutralise defences on infected systems.
Researchers have not identified the actor behind the CleverSoar campaign but note similarities with the Valley RAT campaign, suggesting a possible connection. The attackers demonstrate exceptional skills in leveraging Windows protocols and exploiting security mechanisms, pointing to a well-resourced and capable group.
While the campaign’s immediate focus appears to be individuals in China and Vietnam, its tools and techniques could easily be adapted to target organisations.
“The campaign’s selective targeting of Chinese and Vietnamese-speaking users, along with its layered anti-detection measures, points to a persistent espionage effort by a capable threat actor,” researchers concluded. “While currently aimed at individual users, this campaign’s tactics and tools demonstrate a level of sophistication that could easily extend to organisational targets. Organisations in the affected regions should take notice of the TTPs of this actor and monitor suspicious activity.”
In the News: Novel Bootkitty becomes first ever UEFI bootkit targeting Linux