A recent investigation has unveiled a sophisticated cyber operation targeting unsuspecting users of Huorong Security antivirus software. The attackers have established a typosquatted domain, huoronga[.]com, which closely resembles the legitimate site huorong.cn. This deceptive strategy aims to ensnare individuals who mistakenly enter the wrong URL or fall victim to manipulated search results and malicious links.
The counterfeit site mirrors the original branding and layout of Huorong, creating an illusion of authenticity that leaves most visitors unsuspecting of any foul play. Upon clicking the download button, users unwittingly initiate a chain of events that leads to the installation of ValleyRAT, a modular remote access trojan (RAT) built on the Winos4.0 framework.
The malicious download process is cleverly concealed. When a user attempts to download the software, the request is routed through an intermediary domain, hndqiuebgibuiwqdhr[.]cyou, before the actual payload is retrieved from Cloudflare R2 storage. This use of a trusted cloud platform helps the malicious activity blend seamlessly into normal network traffic.
Fake Huorong Download Site
The downloaded file, named BR火绒445[.]zip, incorporates Huorong’s Chinese name (火绒) to further maintain the ruse. Inside this ZIP archive, victims are presented with a trojanized NSIS (Nullsoft Scriptable Install System) installer, a legitimate framework that mimics the behavior of genuine Windows software, thereby raising fewer suspicions.
Upon execution, the installer creates a desktop shortcut labeled 火绒.lnk, simulating a successful antivirus installation while discreetly unpacking a mix of benign and malicious files into the user’s Temp directory. Among the seemingly harmless components are FFmpeg DLLs and tools masquerading as .NET repair and Huorong diagnostic utilities, reinforcing the façade of a legitimate installer.
The core of the malware consists of three pivotal elements: WavesSvc64.exe as the main loader, DuiLib_u.dll as a hijacked library for DLL sideloading, and box.ini as an encrypted container for shellcode. This infection chain exploits Windows’ library loading behavior, allowing the execution of malicious code under the guise of a trusted binary. WavesSvc64.exe masquerades as an audio service process, complete with a plausible PDB path referencing gaming-related development, ensuring that Windows executes it without raising alarms.
During its startup, Windows automatically loads DuiLib_u.dll from the same directory, which is replaced with a weaponized version that reads encrypted shellcode from box.ini, decrypts it, and executes it directly in memory. This technique aligns with the Catena-style loader pattern observed in other campaigns, where seemingly legitimate executables harbor attack code within configuration files, executing it reflectively to minimize traditional forensic traces.
ValleyRAT Backdoor Deployed via Malware
To ensure persistence and evade detection, the malware issues high-integrity PowerShell commands to add Windows Defender exclusions for its working directory (%APPDATA%trvePath) and loader process (WavesSvc64.exe), significantly reducing the likelihood of native security scanning. Additionally, it creates a scheduled task named “Batteries,” stored as C:WindowsTasksBatteries.job, which executes WavesSvc64.exe /run at startup to reapply exclusions and maintain a connection to its command-and-control (C2) server.
The campaign employs a strategy of periodically deleting and rewriting key files, including WavesSvc64.exe, DuiLibu.dll, and others, to evade simple hash-based detection. Configuration data, such as the encoded domain yandibaiji0203[.]com, is stored under HKCUSOFTWAREIpDatesinfo, with additional encrypted binary configuration data held in the registry.
On the network front, the Winos4.0 stage establishes contact with its C2 server at 161.248.87.250 over TCP port 443, utilizing a custom binary protocol to blend into encrypted traffic patterns while avoiding TLS inspection. Intrusion detection systems have flagged critical alerts related to Winos4.0 C2 communications and the initialization of the ProcessKiller module, which is known for terminating security tools.
Analysts have noted that C2 communications often originate from rundll32.exe, launched with only “rundll32.exe” as its command-line, a deviation from the expected parameters that raises suspicion in monitored environments. Further analysis has revealed multiple WinosStager plugin DLLs loaded within the rundll32 process, underscoring ValleyRAT’s modular design, which delivers functionality as on-demand plugins tailored to specific operations.
Once established, ValleyRAT facilitates extensive post-compromise activities, including keylogging, process injection, credential access, and system reconnaissance. It allocates read-write-execute (RWX) memory regions within rundll32.exe for in-memory execution while systematically deleting executed files and other artifacts to hinder forensic recovery.
Attribution points strongly to the Silver Fox APT group, known for distributing ValleyRAT/Winos4.0 through trojanized installers for various Chinese-focused software. The Huorong lure follows this pattern, employing Chinese-language filenames and security-focused branding to target Chinese-speaking users seeking antivirus solutions.
The public leak of the ValleyRAT builder on GitHub has transformed the threat landscape, with researchers documenting approximately 6,000 ValleyRAT-related samples within a year, indicating a significant uptick in activity. Defenders are advised to ensure that downloads of Huorong software originate solely from huorong.cn, monitor for unauthorized Defender exclusion commands, and search for the “Batteries” scheduled task and related registry keys across endpoints.
Blocking outbound connections to the identified C2 server and enabling intrusion detection signatures for Winos4.0 traffic can significantly enhance detection capabilities. Security vendors, including Malwarebytes, are actively flagging and blocking known ValleyRAT variants, but the rapid proliferation of this threat necessitates a vigilant and proactive approach from organizations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
