ESET Research#ESETresearch has identified a Silver Fox campaign that actively takes advantage of the current annual tax filing and organizational change season in Japan, a period when companies generate a high volume of legitimate financial and HRrelated communications. https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/
In this operation, Silver Fox sends tailored spearphishing emails crafted to look like one of such communication. To make the emails appear authentic, the attackers often include the name of the targeted company directly in the subject line.
The sender fields often impersonate employees at the targeted companies. This indicates Silver Fox performs reconnaissance before attacking. Using names that the targets are likely to recognize, makes it more difficult to distinguish the messages from real internal notifications.
The emails typically contain either a malicious attachment or a link leading to a malicious file. The files are named to resemble common HR, financial, or tax-related documents.
Opening the malicious files drops ValleyRAT, a remote access trojan that Silver Fox has used across multiple campaigns. Once deployed, it enables the actor to take remote control of the machine and harvest sensitive information. ESET products detect this malware as Win64/Valley.
Note that even though ESET observes the most activity in Japan, Silver Fox also currently operates in Taiwan, India, Indonesia, Australia, the United Kingdom, and Brazil. IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/silver_fox
In this operation, Silver Fox sends tailored spearphishing emails crafted to look like one of such communication. To make the emails appear authentic, the attackers often include the name of the targeted company directly in the subject line.
The sender fields often impersonate employees at the targeted companies. This indicates Silver Fox performs reconnaissance before attacking. Using names that the targets are likely to recognize, makes it more difficult to distinguish the messages from real internal notifications.
The emails typically contain either a malicious attachment or a link leading to a malicious file. The files are named to resemble common HR, financial, or tax-related documents.
Opening the malicious files drops ValleyRAT, a remote access trojan that Silver Fox has used across multiple campaigns. Once deployed, it enables the actor to take remote control of the machine and harvest sensitive information. ESET products detect this malware as Win64/Valley.
Note that even though ESET observes the most activity in Japan, Silver Fox also currently operates in Taiwan, India, Indonesia, Australia, the United Kingdom, and Brazil. IoCs available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/silver_fox
