CleverSoar, a novel and stealthy malware installer, targets Chinese and Vietnamese users, which introduces a multi-layered attack, deploying the advanced Winos4.0 framework and the Nidhogg rootkit.
These tools facilitate extensive malicious activities, including keylogging, data theft, security circumvention, and covert system manipulation, which, potentially orchestrated by a persistent threat actor, signals a prolonged espionage operation aimed at data extraction and persistent surveillance.
It was initially detected in November 2024, was first uploaded to VirusTotal in July 2024 and was distributed through .msi installer packages by targeting Chinese and Vietnamese users.
The installer checks the user’s language settings and terminates if it’s not Chinese or Vietnamese, suggesting the malware is specifically designed to infect users in these regions, likely disguised as legitimate software or games.
By deploying the Nidhogg rootkit, Winos4.0 framework, and a custom backdoor, it likely arrives through a disguised .msi package that drops the installer (“Update.exe”) in a WindowsNT folder.
It verifies administrator privileges and utilizes “runas” to elevate itself if needed, and then employs a unique evasion technique before disabling security solutions and ensuring only Chinese or Vietnamese systems are infected.
The malware performs sophisticated anti-VM and anti-emulation checks to evade detection and analysis by retrieving raw SMBIOS firmware tables to identify specific indicators like ‘QEMU’ presence.
It also leverages Windows API functions to assess the state of Windows Defender‘s emulator and determine the operating system version. Successful evasion allows the malware to proceed to the next stage of its execution.
CleverSoar’s installer enhances security by implementing multiple anti-debugging techniques and restricts DLL injection to Microsoft-signed binaries, hindering the capabilities of security solutions reliant on userland hooking.
By employing timing-based anti-debugging checks using ‘GetTickCount64’ it detects debugger presence and finally, a straightforward ‘IsDebuggerPresent’ API call is utilized to further reinforce protection against debugging attempts.
A username performance check to evade detection by sandbox environments by comparing the current username against a list of known sandbox and testing usernames, including two potentially misspelled entries.
If the username matches any on the list, the malware assumes it’s running in a sandbox and terminates its malicious activities, which helps the malware to remain undetected and execute its payload only on legitimate systems.
It targets Chinese and Vietnamese systems and performs a series of checks to evade detection and disable security measures by creating registry keys, modifying system services, and terminating security processes.
According to Rapid7, it installs a rootkit to maintain persistence and a vulnerable Sysmon driver to disable security software, which also establishes a C2 communication channel for further malicious activities.
A high level of sophistication and malicious intent is demonstrated by the malware, which makes use of a variety of techniques to conceal its presence and carry out its payload.
The CleverSoar campaign leverages advanced evasion techniques and custom malware (Winos4.0, Nidhogg) to target Chinese and Vietnamese users, which, likely orchestrated by a sophisticated threat actor, aims to compromise systems for espionage purposes.
The campaign’s layered anti-detection measures and potential for broader targeting pose a significant threat to both individual users and organizations in the affected regions.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Critical Writable File in Lenovo’s Windows Directory Lets Attackers Bypass AppLocker")
