Sihost
Politically-motivated cyberattacks have been around since cybercrime became a thing, and it is not a surprise that participants in the ongoing Hong Kong protests are the latest group of people to be targeted by a state-sponsored threat actors. At the beginning of October 2019, a participant in the protests received an email, which was planned to look as if it came from Western law students – they wanted to learn more about the protests, and were working on a paper regarding 'recommendations to end the Hong Kong protests.' The email message was accompanied by three files – two of which were legitimate, and one of which was an '.LNK' file that used the well-known double extension trick to hide its true identity, and appear as an '.RTF' document.
Corrupted '.LNK' Files Used to Deliver the Sihost Backdoor to Hong Kong Students
'.LNK' files are basically shortcuts, and, in this case, this one points to the legitimate 'msiexec.exe' utility that is used to run '.MSI' files. The purpose of the '.LNK' file included in the email is to launch the 'msiexec.exe' and command it to download a '.PNG' file from a GitHub repository. The '.PNG' file in question is not an actual image and, instead, it will work as an executable that will create hundreds of decoy files, including the primary payload found in 'siHost64.'
'siHost64' is dropped in the %APPDATA% folder, and it is a Python script, which serves several purposes:
- It connects to a remote control server that is operated via the DropBox API.
- Achieves persistence by modifying the Windows Registry.
- Fetch files from the control server that contain encrypted commands that will be executed on the compromised host. The result of the execution of these commands is stored in a newly created encrypted file that is uploaded to the control server periodically.
Sihost works as a backdoor Trojan, and it can be used to collect files and information from the remote host. The email message used to spread it, as well as the low infection ratio, are good indicators that the threat was developed to target participants in the Hong Kong unrests exclusively.
The threat relies on living-off-the-land tactics heavily by utilizing legitimate Windows utilities and the DropBox cloud hosting service. Malware utilizing such techniques is usually very good at evading anti-virus products, and it often leaves minimal traces on the infected host.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.