Google said in a new blog post that hackers linked to the Chinese government are imitating McAfee antivirus software to try to infect the machines of malware victims. And, Google said, hackers appear to be the same group that failed to successfully target former Vice President Joe Biden’s presidential campaign with a phishing attack earlier this year. A similar group of Iran-based hackers tried to target President Trump’s campaign, but were also unsuccessful.
The team, identified by Google as APT 31 (short for Advanced Persistent Threat), will email links to users downloading malware hosted on GitHub, allowing the attacker to upload and download files and execute commands. Because the team used services like GitHub and Dropbox to carry out the attacks, it became more difficult to track them.
“Every malicious part of this attack is hosted on legitimate services, making it harder for defenders to rely on network signals for detection,”; Google’s Threat Analysis Group leader Shane Huntley wrote the blog post.
In the McAfee scam, the recipient of the email will be prompted to install a legitimate version of the McAfee software from GitHub, while the malware is installed without the user’s knowledge. Huntley said that whenever Google detects that a user has been the victim of a government-backed attack, it sends them a warning.
The blog post did not mention who was affected by the latest APT-31 attack, but said there had been “increasing attention to APT threats in the US election context.” Google shares its findings with the FBI.