FortiGuard Labs researchers have identified an ongoing ValleyRAT malware campaign targeting Chinese enterprises [1], particularly in e-commerce [5], finance [1] [3] [4] [5] [6], sales [3] [4] [5] [6], and management sectors [4].
Description
ValleyRAT [1] [2] [3] [4] [5] [6], attributed to the threat group Silver Fox [2], is a sophisticated multi-stage malware that uses shellcode to minimize its file size on the victim’s system. The attack starts with a first-stage loader disguised as legitimate Microsoft Office files in phishing emails, dropping a decoy document and loading shellcode for subsequent attack phases [2]. ValleyRAT functions as a backdoor, allowing remote control capabilities like taking screenshots and executing files. It exclusively targets Chinese systems [2], utilizing components like RuntimeBroker and RemoteShellcode to fetch additional payloads from a command-and-control server [2]. The campaign involves malspam tactics exploiting an old Microsoft Office vulnerability (CVE-2017-0199) to deliver malicious code and payloads like GuLoader [2], Remcos RAT [2], and Sankeloader [2]. ValleyRAT specifically targets Chinese speakers in various sectors, deploying arbitrary plugins to cause further harm [5]. The malware employs multiple techniques to monitor and control compromised devices [1], including the deployment of arbitrary plugins on infected systems. It creates a mutex named TEST to ensure only one instance runs on the system and stores the C2 server IP address and port in the registry [1]. ValleyRAT employs tactics to evade detection, such as checking for virtual machines, using sleep obfuscation to bypass memory scanners [1], and decrypting shellcode using AES-256 and XOR [1]. It also obfuscates its execution with a sleep routine and utilizes the BKDR hashing algorithm to obscure API names [1]. ValleyRAT communicates with a C2 server to download components, gain administrator privileges [1], and bypass UAC. To avoid detection, the malware adds its root drive to the Windows Defender exclusion list [1], terminates antivirus processes [1], and injects shellcode into the lsass process [1]. Security experts attribute ValleyRAT to an APT group known as “Silver Fox” [1], which focuses on visually monitoring user activities and delivering plugins to victim systems [1]. ValleyRAT enables threat actors to remotely control compromised systems, load additional plugins [1], and execute files on victim systems [1].
Conclusion
Organizations are advised to maintain up-to-date antivirus and intrusion prevention system signatures and provide security awareness training for employees to mitigate the risks posed by ValleyRAT and similar malware campaigns.
References
[1] https://securityaffairs.com/167164/cyber-crime/valleyrat-malware-targets-chinese-speaking-users.html
[2] https://thehackernews.com/2024/08/multi-stage-valleyrat-targets-chinese.html
[3] https://www.scmagazine.com/brief/china-subjected-to-new-valleyrat-malware-attack-campaign
[4] https://siliconfit.com/blog/2024/08/16/windows-users-hit-by-all-new-advanced-malware-campaign/
[5] https://www.fortinet.com/blog/threat-research/valleyrat-campaign-targeting-chinese-speakers
[6] https://www.infosecurity-magazine.com/news/valleyrat-campaign-hits-windows/