A recent investigation by FortiGuard Labs has unveiled a sophisticated cyber campaign that is specifically targeting Chinese Windows users through the ValleyRAT malware. This multi-stage attack is particularly aimed at sectors such as e-commerce, finance, sales, and management, raising concerns among businesses operating in these domains.
Initial Infection:
The onset of this attack is marked by a cunningly crafted lure, often masquerading as a legitimate financial or business document. By utilizing icons that resemble trusted applications like Microsoft Office, the malware creates an empty file that triggers the default application for opening Microsoft Office Word documents. In instances where no default application is configured, an error message is displayed, which serves to distract the user.
Upon execution, the malware establishes its foothold on the system by creating a mutex and altering registry entries. It employs various techniques to evade detection, including checks for virtual environments and sophisticated obfuscation methods.
Payload Delivery and Execution:
A pivotal aspect of this campaign is the deployment of shellcode, enabling the malware to load its components directly into memory. This approach effectively circumvents traditional file-based detection mechanisms. Subsequently, the malware establishes communication with a command-and-control (C2) server to download additional components, which include the core ValleyRAT payload.
FortiGuard Labs attributes this malware to the suspected APT group known as “Silver Fox.” The group is noted for its capability to graphically monitor user activities while delivering additional plugins and malware to the compromised system.
Evasion Techniques:
To enhance its effectiveness, ValleyRAT employs a range of evasion tactics. These include disabling antivirus software, modifying registry settings to obstruct security applications, and utilizing sleep obfuscation to complicate analysis. Additionally, the malware encodes its shellcode with an XOR operation to further evade memory scanners.
Payload Capabilities:
The core capabilities of the ValleyRAT payload provide attackers with extensive control over the infected system. Once embedded, it can execute commands to monitor user activities and deploy arbitrary plugins to further the attackers’ objectives.
ValleyRAT is designed to monitor user activity, exfiltrate sensitive data, and potentially introduce additional malicious payloads. Its command set includes functionalities such as loading plugins, capturing screenshots, executing files, manipulating the registry, and controlling critical system functions like restarts, shutdowns, and logoffs.
The campaign’s focus on Chinese users is underscored by its use of Chinese-language lures and its strategic evasion of popular Chinese antivirus solutions. The malware’s persistence and remote command execution capabilities pose a significant threat to affected systems.
This campaign continues to evolve, and updates will be provided as new information emerges. In the meantime, users are strongly advised to keep their security software up to date and to exercise caution when interacting with unexpected files or links.
RELATED TOPICS
- Fake Hot Fix for CrowdStrike Spreads Remcos RAT
- TicTacToe Dropper Steals Data from Windows Devices
- New Injector Drops XWorm, Remcos RAT in Multi-Stage Attack
- Multi-platform SysJoker backdoor Hits Windows, macOS, Linux
- P2Pinfect Botnet Targets Servers with Ransomware, Cryptominer
