Chinese language-speaking customers are the goal of an ongoing marketing campaign that distributes malware referred to as ValleyRAT.
“ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and deploy arbitrary plugins to cause further damage,” Fortinet FortiGuard Labs researchers Eduardo Altares and Joie Salvio stated.
“Another noteworthy characteristic of this malware is its heavy usage of shellcode to execute its many components directly in memory, significantly reducing its file footprint in the victim’s system.”
Particulars in regards to the marketing campaign first emerged in June 2024, when Zscaler ThreatLabz detailed assaults involving an up to date model of the malware.
Precisely how the newest iteration of ValleyRAT is distributed is at present not recognized, though earlier campaigns have leveraged e mail messages containing URLs pointing to compressed executables.
The assault sequence is a multi-stage course of that begins with a first-stage loader that impersonates respectable functions like Microsoft Workplace to make them seem innocent (e.g., “工商年报大师.exe” or “补单对接更新记录txt.exe”).
Launching the executable causes the decoy doc to be dropped and the shellcode to be loaded for advancing to the subsequent part of the assault. The loader additionally takes steps to validate that it is not working in a digital machine.
The shellcode is answerable for initiating a beaconing module that contacts a command-and-control (C2) server to obtain two elements – RuntimeBroker and RemoteShellcode – alongside setting persistence on the host and gaining administrator privileges by exploiting a respectable binary named fodhelper.exe and obtain a UAC bypass.
The second methodology used for privilege escalation considerations the abuse of the CMSTPLUA COM interface, a method beforehand adopted by risk actors related to the Avaddon ransomware and in addition noticed in current Hijack Loader campaigns.
In an additional try to guarantee that the malware runs unimpeded on the machine, it configures exclusion guidelines to Microsoft Defender Antivirus and proceeds to terminate varied antivirus-related processes primarily based on matching executable filenames.
RuntimeBroker’s major process is to retrieve from the C2 server a element named Loader, which features the identical method because the first-stage loader and executes the beaconing module to repeat the an infection course of.
The Loader payload additionally displays some distinct traits, together with finishing up checks to see if it is working in a sandbox and scanning the Home windows Registry for keys associated to apps like Tencent WeChat and Alibaba DingTalk, reinforcing the speculation that the malware completely targets Chinese language programs.
However, RemoteShellcode is configured to fetch the ValleyRAT downloader from the C2 server, which, subsequently, makes use of UDP or TCP sockets to hook up with the server and obtain the ultimate payload.
ValleyRAT, attributed to a risk group known as Silver Fox, is a fully-featured backdoor able to remotely controlling compromised workstations. It will possibly take screenshots, execute recordsdata, and cargo further plugins on the sufferer system.
“This malware involves several components loaded in different stages and mainly uses shellcode to execute them directly in memory, significantly reducing its file trace in the system,” the researchers stated.
“Once the malware gains a foothold in the system, it supports commands capable of monitoring the victim’s activities and delivering arbitrary plugins to further the threat actors’ intentions.”
The event comes amid ongoing malspam campaigns that try to use an outdated Microsoft Workplace vulnerability (CVE-2017-0199) to execute malicious code and ship GuLoader, Remcos RAT, and Sankeloader.
“CVE-2017-0199 is still targeted to allow for execution of remote code from within an XLS file,” Broadcom-owned Symantec stated. “The campaigns delivered a malicious XLS file with a link from which a remote HTA or RTF file would be executed to download the final payload.”