Cybersecurity researchers are drawing attention to a series of cyberattacks targeting Chinese-speaking regions such as Hong Kong, Taiwan and mainland China using a known malware called ValleyRAT.
The attacks use a multi-stage loader called PNGPlug to deliver the ValleyRAT payload, Intezer said in a technical report published last week.
The chain of infection begins with a phishing page designed to encourage victims to download a malicious Microsoft Installer (MSI) package disguised as legitimate software.
Once executed, the installer deploys a benign application to avoid suspicion and also stealthily extracts an encrypted archive containing malware.
“The MSI package exploits the CustomAction feature of Windows Installer, which allows it to execute malicious code, including launching an embedded malicious DLL that decrypts the archive (all.zip) using the hardcoded password ‘hello202411’ to extract the core components of the malware,” the security researcher said. Nicole Fishbein said.
These include a fake DLL (“libcef.dll”), a legitimate application (“down.exe”) used as a cloak to hide malicious activity, and two payload files masquerading as PNG images (“aut.png” and “view.png”).
The main purpose of the DLL loader, PNGPlug, is to prepare the environment for the main malware to run by injecting “aut.png” and “view.png” into memory to configure security by modifying the Windows registry and executing ValleyRAT, respectively.
ValleyRAT, found in the wild as of 2023 is a Remote Access Trojan (RAT) capable of providing attackers with unauthorized access and control over infected machines. The latest versions of malware are available features included for taking screenshots and clearing Windows event logs.
It is believed to be linked to a threat group called Silver foxwhich also shares tactical overlaps with another named activity cluster Void of Arachne due to the use of a command and control (C&C) system is called Windows 4.0.
The campaign is unique in that it targets a Chinese-speaking demographic and uses software baits to activate the chain of attacks.
“Equally striking is the sophisticated use by attackers of legitimate software as a malware delivery mechanism, seamlessly blending malicious activities with seemingly benign programs,” said Fishbein.
“The adaptability of the PNGPlug loader further increases the threat as its modular design allows it to be adapted for multiple companies.”
