Mandarin-speaking individuals are the focal point of an ongoing operation that disburses malware referred to as ValleyRAT.
“ValleyRAT is a multi-stage malware that employs diverse strategies to supervise and control its victims and launch arbitrary plugins to inflict additional harm,” as pronounced by Eduardo Altares and Joie Salvio from Fortinet FortiGuard Labs mentioned.
“An additional notable attribute of this malware is its extensive use of shellcode to execute its numerous components directly in memory, thereby significantly reducing its presence on the victim’s system.”
The information concerning the operation initially surfaced in June 2024 when Zscaler ThreatLabz delineated attacks involving an updated edition of the malware.
The exact mechanism through which the most recent version of ValleyRAT is disseminated is currently undisclosed, though previous stratagems have employed email correspondences containing URLs pointing to compacted executables.
The offensive process consists of multiple phases starting with a first-phase loader that disguises itself as legitimate applications like Microsoft Office to give the appearance of innocuousness (e.g., “工商年报大师.exe” or “补单对接更新记录txt.exe”).
Initiating the executable prompts the dummy document to be deposited and the shellcode to be activated to facilitate progress to the subsequent phase of the assault. The loader also ensures that it is not operating within a virtual environment.
The shellcode is accountable for instigating a signaling module that communicates with a command-and-control (C2) server to download two components – RuntimeBroker and RemoteShellcode – while also enforcing persistence on the host and attaining administrative privileges by capitalizing on a legitimate binary called fodhelper.exe to execute a UAC bypass.
The second technique utilized for privilege escalation pertains to the exploitation of the CMSTPLUA COM interface, a methodology formerly employed by malevolent entities linked to the Avaddon ransomware and also witnessed in recent Hijack Loader initiatives.
In a supplementary endeavor to ensure the unimpeded operation of the malware on the machine, it configures exclusion criteria to Microsoft Defender Antivirus and proceeds to halt various antivirus-related processes based on corresponding executable filenames.
The primary responsibility of RuntimeBroker is to retrieve a component named Loader from the C2 server, which operates identically to the first-stage loader and triggers the signaling module to rehearse the infection process.
The Loader payload also showcases certain unique characteristics such as conducting assessments to ascertain whether it is executing within a sandbox and scanning the Windows Registry for entries related to platforms like Tencent WeChat and Alibaba DingTalk, thereby bolstering the hypothesis that the malware exclusively targets Chinese systems.
Conversely, RemoteShellcode is configured to retrieve the ValleyRAT downloader from the C2 server, which subsequently employs UDP or TCP sockets to connect with the server and obtain the ultimate payload.
ValleyRAT, associated with a hacker group known as Silver Fox, is a fully-featured stealth access tool capable of remotely manipulating compromised workstations. It can capture screenshots, execute commands, and append supplementary plugins to the victim’s system.
“This malware consists of multiple elements loaded in separate stages and predominantly relies on shellcode to execute them directly in memory, thereby substantially diminishing its digital footprint within the system,” remarked the researchers.
“Upon establishing a foothold in the system, it supports commands capable of monitoring the victim’s activities and deploying arbitrary plugins to further the malevolent intents of the threat actors.”
This occurrence coincides with ongoing malspam initiatives endeavoring to leverage an archaic vulnerability in Microsoft Office (CVE-2017-0199) to execute malevolent instructions and introduce GuLoader, Remcos RAT, and Sankeloader.
“CVE-2017-0199 continues to be exploited to enable the execution of remote code from within an XLS file,” said Broadcom-owned Symantec asserted. “The campaigns furnished a contaminated XLS file with a hyperlink that would trigger the execution of a remote HTA or RTF file to fetch the ultimate payload.”
About Author
