Google said in a new blog post that hackers linked to the Chinese government are posing as McAfee antivirus software to try to infect victims’ machines with malware. And, says Google, hackers seem to be the same group that unsuccessfully targeted the presidential campaign of former Vice President Joe Biden with a phishing attack earlier this year. A similar group of Iran-based hackers tried to target President Trump’s campaign, but also failed.
The group, which Google calls APT 31 (short for Advanced Persistent Threat), would send links via email to users who would download malware hosted on GitHub, allowing the attacker to upload and download files and execute commands. As the group used services like GitHub and Dropbox to carry out the attacks, it became more difficult to track them.
“Every malicious part of this attack was hosted on legitimate services, making it more difficult for defenders to rely on network signals for detection,” wrote the head of the Google Threat Analysis Group, Shane Huntley, on the blog.
In McAfee’s impersonation scheme, the recipient of the email would be asked to install a legitimate version of GitHub’s McAfee software, while at the same time, the malware was installed without the user knowing it. Huntley noted that whenever Google detects that a user has been the victim of a government-supported attack, it sends a warning.
The blog post does not mention who was affected by the latest APT-31 attacks, but said there was “greater attention to threats posed by APTs in the context of the US election”. Google shared its findings with the FBI.