Cybersecurity researchers are calling consideration to a collection of cyber assaults which have focused Chinese language-speaking areas like Hong Kong, Taiwan, and Mainland China with a identified malware known as ValleyRAT.
The assaults leverage a multi-stage loader dubbed PNGPlug to ship the ValleyRAT payload, Intezer stated in a technical report revealed final week.
The an infection chain commences with a phishing web page that is designed to encourage victims to obtain a malicious Microsoft Installer (MSI) package deal disguised as reputable software program.
As soon as executed, the installer deploys a benign software to keep away from arousing suspicion, whereas additionally stealthily extracting an encrypted archive containing the malware payload.
“The MSI package uses the Windows Installer’s CustomAction feature, enabling it to execute malicious code, including running an embedded malicious DLL that decrypts the archive (all.zip) using a hardcoded password ‘hello202411’ to extract the core malware components,” safety researcher Nicole Fishbein stated.
These embrace a rogue DLL (“libcef.dll”), a reputable software (“down.exe”) that is used as a canopy to hide the malicious actions, and two payload information masquerading as PNG photos (“aut.png” and “view.png”).
The principle goal of the DLL loader, PNGPlug, is to arrange the setting for executing the principle malware by injecting “aut.png” and “view.png” into reminiscence to be able to arrange persistence by making Home windows Registry adjustments and executing ValleyRAT, respectively.
ValleyRAT, detected within the wild since 2023, is a distant entry trojan (RAT) that is able to offering attackers with unauthorized entry and management over contaminated machines. Current variations of the malware have included options to seize screenshots and clear Home windows occasion logs.
It is assessed to be linked to a menace group known as Silver Fox, which additionally shares tactical overlaps with one other exercise cluster named Void Arachne owing to using a command-and-control (C&C) framework known as Winos 4.0.
The marketing campaign is exclusive for its give attention to the Chinese language-speaking demographic and using software-related lures to activate the assault chain.
“Equally striking is the attackers’ sophisticated use of legitimate software as a delivery mechanism for malware, seamlessly blending malicious activities with seemingly benign applications,” Fishbein stated.
“The adaptability of the PNGPlug loader further elevates the threat, as its modular design allows it to be tailored for multiple campaigns.”
