Sophisticated Phishing Campaign Targeting Chinese Users with ValleyRAT and Gh0st RAT

8 months ago AndyC

Sep 20, 2023THNMalware Attack / Cyber Threat

Chinese-language speakers have been increasingly targeted as part of multiple email phishing campaigns that aim to distribute various malware families such as Sainbox RAT, Purple Fox, and a new trojan c

Sophisticated Phishing Campaign Targeting Chinese Users with ValleyRAT and Gh0st RAT

Sep 20, 2023THNMalware Attack / Cyber Threat

Sophisticated Phishing Campaign Targeting Chinese Users with ValleyRAT and Gh0st RAT

Chinese-language speakers have been increasingly targeted as part of multiple email phishing campaigns that aim to distribute various malware families such as Sainbox RAT, Purple Fox, and a new trojan called ValleyRAT.

“Campaigns include Chinese-language lures and malware typically associated with Chinese cybercrime activity,” enterprise security firm Proofpoint said in a report shared with The Hacker News.

The activity, observed since early 2023, entails sending email messages containing URLs pointing to compressed executables that are responsible for installing the malware. Other infection chains have been found to leverage Microsoft Excel and PDF attachments that embed these URLs to trigger malicious activity.

Cybersecurity

These campaigns demonstrate variation in the use of infrastructure, sender domains, email content, targeting, and payloads, indicating that different threat clusters are mounting the attacks.

Over 30 such campaigns have been detected in 2023 that employ malware typically associated with Chinese cybercrime activity. Since April 2023, no less than 20 of those campaigns are said to have delivered Sainbox, a variant of the Gh0st RAT trojan that’s also known as FatalRAT.

Proofpoint said it identified at least three other campaigns delivering the Purple Fox malware and six additional campaigns propagating a nascent strain of malware dubbed ValleyRAT, the latter of which commenced on March 21, 2023.

ValleyRAT, first documented by Chinese cybersecurity firm Qi An Xin in February 2023, is written in C++ and harbors functionalities traditionally seen in remote access trojans, such as fetching and executing additional payloads (DLLs and binaries) sent from a remote server and enumerating running processes, among others.

UPCOMING WEBINAR

Level-Up SaaS Security: A Comprehensive Guide to ITDR and SSPM

Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.

Supercharge Your Skills

While Gh0st RAT has been widely used in various cyber campaigns linked to China over the years, the emergence of ValleyRAT suggests it could be widely deployed in the future.

“The increase in Chinese language malware activity indicates an expansion of the Chinese malware ecosystem, either through increased availability or ease of access to payloads and target lists, as well as potentially increased activity by Chinese speaking cybercrime operators,” the company said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

A SaaS Security Challenge: Getting Permissions All in One Place 

A SaaS Security Challenge: Getting Permissions All in One Place 

6 hours ago AndyC
New Spectre-Style 'Pathfinder' Attack Targets Intel CPU, Leak Encryption Keys and Data

New Spectre-Style ‘Pathfinder’ Attack Targets Intel CPU, Leak Encryption Keys and Data

6 hours ago AndyC
The Fundamentals of Cloud Security Stress Testing

The Fundamentals of Cloud Security Stress Testing

12 hours ago AndyC
Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version

Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version

12 hours ago AndyC
Hackers Exploiting LiteSpeed Cache Bug to Gain Full Control of WordPress Sites

Hackers Exploiting LiteSpeed Cache Bug to Gain Full Control of WordPress Sites

12 hours ago AndyC
Russian Hacker Dmitry Khoroshev Unmasked as LockBit Ransomware Administrator

Russian Hacker Dmitry Khoroshev Unmasked as LockBit Ransomware Administrator

1 day ago AndyC

You may have missed

Aussie Broadband gets clearance to hold more Superloop shares

Aussie Broadband gets clearance to hold more Superloop shares

14 mins ago AndyC
CBA changes its chief security officer

CBA changes its chief security officer

14 mins ago AndyC
<div>Radware lauded as Leader in GigaOm's 2024 AAS Security Report</div>

Radware lauded as Leader in GigaOm’s 2024 AAS Security Report

15 mins ago AndyC
You cannot protect what you do not understand

You cannot protect what you do not understand

15 mins ago AndyC
<div>'LogicMonitor appoints ex-Splunk leader Brooke Cunningham as CMO'</div>

‘LogicMonitor appoints ex-Splunk leader Brooke Cunningham as CMO’

15 mins ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.