Cybersecurity researchers have uncovered an up to date model of malware known as ValleyRAT that is being distributed as a part of a brand new marketing campaign.
“In the latest version, ValleyRAT introduced new commands, such as capturing screenshots, process filtering, forced shutdown, and clearing Windows event logs,” Zscaler ThreatLabz researchers Muhammed Irfan V A and Manisha Ramcharan Prajapati stated.
ValleyRAT was beforehand documented by QiAnXin and Proofpoint in 2023 in reference to a phishing marketing campaign concentrating on Chinese language-speaking customers and Japanese organizations that distributed varied malware households resembling Purple Fox and a variant of the Gh0st RAT trojan generally known as Sainbox RAT (aka FatalRAT).
The malware has been assessed to be the work of a China-based menace actor, boasting of capabilities to reap delicate info and drop further payloads onto compromised hosts.
The place to begin is a downloader that makes use of an HTTP File Server (HFS) to fetch a file named “NTUSER.DXM” that is decoded to extract a DLL file liable for downloading “client.exe” from the identical server.
The decrypted DLL can be designed to detect and terminate anti-malware options from Qihoo 360 and WinRAR in an effort to evade evaluation, after which the downloader proceeds to retrieve three extra recordsdata – “WINWORD2013.EXE,”https://thehackernews.com/2024/06/”wwlib.dll,” and “xig.ppt” – from the HFS server.
Subsequent, the malware launches “WINWORD2013.EXE,” a legit executable related to Microsoft Phrase, utilizing it to sideload “wwlib.dll” that, in flip, establishes persistence on the system and masses “xig.ppt” into reminiscence.
“From here, the decrypted ‘xig.ppt’ continues the execution process as a mechanism to decrypt and inject shellcode into svchost.exe,” the researchers stated. “The malware creates svchost.exe as a suspended process, allocates memory within the process, and writes shellcode there.”
The shellcode, for its half, comprises essential configuration to contact a command-and-control (C2) server and obtain the ValleyRAT payload within the type of a DLL file.
“ValleyRAT utilizes a convoluted multi-stage process to infect a system with the final payload that performs the majority of the malicious operations,” the researchers stated. “This staged approach combined with DLL side-loading are likely designed to better evade host-based security solutions such as EDRs and anti-virus applications.”
The event comes because the Fortinet FortiGuard Labs uncovered a phishing marketing campaign that targets Spanish-speaking individuals with an up to date model of a keylogger and data stealer known as Agent Tesla.
The assault chain takes benefit of Microsoft Excel Add-Ins (XLA) file attachments that exploit identified safety flaws (CVE-2017-0199 and CVE-2017-11882) to set off the execution of JavaScript code that masses a PowerShell script, which is engineered to launch a loader with a purpose to retrieve Agent Tesla from a distant server.
“This variant collects credentials and email contacts from the victim’s device, the software from which it collects the data, and the basic information of the victim’s device,” safety researcher Xiaopeng Zhang stated. “Agent Tesla can also collect the victim’s email contacts if they use Thunderbird as their email client.”
