Bogus websites advertised by Google Chrome were used to distribute malicious trooper access settings called Valleyrat.
Malicious software, first discovered in 2023, is explained by the actor of the threat, which is monitored as a silver fox, and previous attacks are primarily focused on Chinese regions such as Hong Kong, Taiwan and mainland China.
“This actor is increasingly targeted in a key role in the finance organizations, accounting and sales-proclaiming strategic attention to high-value positions with access to sensitive data and systems,” Morphisek Schmuel Invo – Note In a report published earlier this week.
Early chains of attacks Valleyrat delivery was observed along with other families malware such as Purple Fox and GH0St Rats, the last of which was widely used by different Chinese hacking groups.
As recently last month, fake installers for legal software served as a tray distribution mechanism with a DLL named PNGPLUG.
It is worth noting that the download scheme oriented previously used To deploy GH0St rats with malicious packages for the Chrome web browser.
Similarly, the last sequence of attacks associated with Valleyrat entails the use of a fake Google Chrome site to trick the goals in the ZIP archive that contains the executable file (“setup.exe”).
When performing the binary checks out if he has an administrator’s privilege, and then he continues to load four additional useful loads, including the legitimate executed file associated with Douyin (“Douyin.exe”), the Chinese version “Tier0.dll”), which Then the Valleyrat launches malicious software.
Another dll (“SSCRONET.DLL”), which is responsible for the termination of any launch process, is also obtained.
Consists in Chinese and written in C ++, Valleyrat is a Trojan that is designed to control the content of the screen, the magazine keys and the establishment of the host. It is also capable of initiating a distant server to wait for further instructions that allow it to list the processes, as well as download and execute arbitrary DLL and binary files.
“To introduce a useful load, the attacker abused legal signed files that were vulnerable to the DLL search,” Yas said.
Development comes as sophos General data Phishing attacks that use scale vector graphics (Svg) Attachments to evading and providing malicious software for keystrokes based on automatic discussion such as NYMERIA or immediate users.
