Chinese-speaking users are being targeted by a malware distribution campaign known as ValleyRAT.
“ValleyRAT is a multi-stage malware that uses various techniques to monitor and control its victims and deploy arbitrary plugins to cause additional damage,” Fortinet FortiGuard Labs researchers Eduardo Altarez and Joey Salvio said.
“Another noteworthy characteristic of this malware is its heavy use of shellcode to execute many components directly in memory, which significantly reduces its file footprint on the victim’s system.”
Details about the promotion appeared for the first time in June 2024, when Zscaler ThreatLabz detailed attacks using an updated version of the malware.
Exactly how the latest iteration of ValleyRAT is spreading is still unknown previous campaigns used email messages containing URLs pointing to compressed executables.
The attack sequence is a multi-step process that begins with a first-stage loader that mimics legitimate applications such as Microsoft Office to appear harmless (eg “Industrial and Commercial Annual Report Master.exe” or “Complementary Order Docking Update Record txt” .exe” ).
Running the executable causes the decoy document to be dumped and the shellcode to be loaded to proceed to the next phase of the attack. The bootloader also takes steps to verify that it is not running in a virtual machine.
The shellcode is responsible for initiating the beacon module, which communicates with the command and control server (C2) to download two components – RuntimeBroker and RemoteShellcode – along with setting up persistence on the host and obtaining administrator privileges by using a legitimate binary named fodhelper.exe and achieve UAC bypass.
The second method used for privilege escalation involves abuse Interface CMSPLUA COMa method previously adopted by threat actors associated with Avaddon ransomware and is also observed recently Hijack bootloader companies.
In a further attempt to ensure that the malware runs smoothly on the machine, it configures exclusion rules for Microsoft Defender Antivirus and terminates various antivirus processes based on matching executable file names.
The main task of the RuntimeBroker is to obtain from the C2 server a component called Loader, which functions in the same way as the first-stage loader, and executes the beacon module to repeat the infection process.
The Loader payload also exhibits some distinctive characteristics, including checking whether it runs in a sandbox and scanning the Windows registry for keys related to programs such as Tencent WeChat and Alibaba DingTalk, supporting the hypothesis that the malware is targeting exclusively on Chinese systems.
RemoteShellcode, on the other hand, is configured to receive the ValleyRAT loader from the C2 server, which then uses UDP or TCP sockets to connect to the server and receive the final payload.
ValleyRAT, attributed to a threat group called Silver Fox, is a full-featured backdoor capable of remotely controlling compromised workstations. It can take screenshots, run files, and download additional plugins to the victim system.
“This malware includes multiple components loaded at different stages and mainly uses shellcode to execute them directly in memory, which greatly reduces the file trace on the system,” the researchers said.
“Once the malware takes root in a system, it supports teams capable of monitoring the victim’s activities and delivering arbitrary plug-ins to achieve the threat actors’ intentions.”
This development comes amid persistent spam campaigns attempting to exploit an old vulnerability in Microsoft Office (CVE-2017-0199) to execute malicious code and deliver GuLoader, Remcos RAT, and Sankeloader.
“CVE-2017-0199 is still for remote code execution from an XLS file,” Broadcom-owned Symantec said. said. “The company delivered a malicious XLS file with a link from which a remote HTA or RTF file would be executed to download the final payload.”
