Google said in a new blog post that hackers linked to the Chinese government have been impersonating antivirus software McAfee to try to infect victims’ machines with malware. And, Google says, the hackers appear to be the same group that unsuccessfully targeted the presidential campaign of former Vice President Joe Biden with a phishing attack earlier this year. A similar group of hackers based in Iran had tried to target President Trump’s campaign, but also was unsuccessful.
The group, which Google refers to as APT 31, would email links to users which would download malware hosted on GitHub, allowing the attacker to upload and download files and execute commands. Since the group used services like GitHub and Dropbox to carry out the attacks, it made it more difficult to track them.
“Every malicious piece of this attack was hosted on legitimate services, making it harder for defenders to rely on network signals for detection,” the head of Google’s Threat Analysis Group Shane Huntley wrote in the blog post.
In the McAfee impersonation scam, the recipient of the email would be prompted to install a legitimate version of McAfee software from GitHub, while at the same time malware was installed without the user being aware. Huntley noted that whenever Google detects that a user has been the victim of a government-backed attack, it sends them a warning.
Google assured that as soon as these attacks are identified, the victim is informed on a priority basis. “When we detect that a user is the target of a government-backed attack, we send them a prominent warning. In these cases, we also shared our findings with the campaigns and the Federal Bureau of Investigation. This targeting is consistent with what others have subsequently reported.”