MODBEACON RAT Leverages gRPC for Stealthy Command and Control
A new Rust-based remote access trojan dubbed MODBEACON is being used by the China-linked Silver Fox group. It employs gRPC streaming to encrypt its command-and-control traffic, evading traditional detection methods.
TL;DR
- Silver Fox deploys MODBEACON, a Rust-based RAT with advanced C2 capabilities.
- The malware uses gRPC streaming to encrypt communications and avoid detection.
- Infection occurs through SEO-poisoned fake software installers.
- QiAnXin researchers uncovered the group's more sophisticated infrastructure behind a deceptive low-sophistication facade.
- Organizations should monitor for unusual gRPC traffic patterns as part of threat hunting.
Cybersecurity researchers have identified a new remote access trojan (RAT) named MODBEACON, linked to the China-associated threat actor Silver Fox. Unlike typical malware, MODBEACON is built using the Rust programming language and leverages gRPC streaming for encrypted communication with its command-and-control (C2) servers.
While initial infection vectors rely on common social engineering tactics such as SEO poisoning and counterfeit software installers, the underlying infrastructure reveals a higher level of operational sophistication. This suggests that what appears to be a noisy, low-skill campaign may actually mask more strategic objectives.
Technical Features of MODBEACON
- Written in Rust, offering memory safety and cross-platform compatibility.
- Uses gRPC over HTTP/2 for bidirectional streaming, blending in with legitimate traffic.
- Employs encryption within the gRPC layer to obfuscate malicious payloads.
- Capable of executing shell commands, file transfers, and keylogging.
- Communicates with C2 servers using dynamically generated endpoints to evade static detection rules.
Detection and Mitigation Strategies
- Monitor network traffic for anomalous gRPC activity originating from client endpoints.
- Implement deep packet inspection (DPI) to analyze HTTP/2 streams for behavioral anomalies.
- Use endpoint detection and response (EDR) tools to flag unsigned or unusual process executions.
- Train staff to recognize SEO-poisoned search results leading to malicious downloads.
- Maintain up-to-date browser and OS patches to limit exploitability of known vulnerabilities.
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.