An updated version of the ValleyRAT malware has been discovered by cybersecurity experts, which is now being distributed as part of a new outreach effort.
According to Zscaler ThreatLabz researchers Muhammed Irfan V A and Manisha Ramcharan Prajapati, in its latest iteration, ValleyRAT has introduced new functionalities such as screenshot capturing, process filtering, forced shutdown, and the erasure of Windows event logs.
QiAnXin and Proofpoint documented the ValleyRAT malware in 2023, linking it to a phishing campaign that targeted Chinese-speaking users and Japanese organizations. This campaign also distributed various other malware strains including Purple Fox and a variant of the Gh0st RAT trojan, known as Sainbox RAT (also called FatalRAT).
Attributed to a threat actor based in China, this malware is capable of harvesting sensitive data and deploying additional payloads on compromised systems.
The infection begins with a downloader that uses an HTTP File Server (HFS) to retrieve a file named “NTUSER.DXM,” which is then decoded to extract a DLL file responsible for downloading “client.exe” from the same server.
The decrypted DLL is also programmed to identify and stop anti-malware products from Qihoo 360 and WinRAR to avoid detection. Following this, the downloader proceeds to fetch three more files – “WINWORD2013.EXE,” “wwlib.dll,” and “xig.ppt” – from the HFS server.
Subsequently, the malware executes “WINWORD2013.EXE,” a legitimate executable linked to Microsoft Word, to load “wwlib.dll,” which then establishes persistence on the system and loads “xig.ppt” into memory.
According to the researchers, “The decrypted ‘xig.ppt’ continues the execution process as a means to decrypt and inject shellcode into svchost.exe. The malware creates svchost.exe as a paused process, allocates memory within the process, and writes the shellcode to this location.”
The shellcode includes crucial settings to communicate with a command-and-control (C2) server and download the ValleyRAT payload in the form of a DLL file.
The researchers mentioned, “ValleyRAT employs a complex multi-stage procedure to infect a system with the final payload, which is responsible for executing most malicious activities. This step-by-step approach along with DLL side-loading is likely intended to better avoid host-based security solutions like EDRs and anti-virus programs.”
Meanwhile, Fortinet FortiGuard Labs uncovered a phishing campaign targeting Spanish-speaking individuals with an updated version of a keylogger and data thief called Agent Tesla.
This campaign exploits Microsoft Excel Add-Ins (XLA) file attachments to leverage known vulnerabilities (such as CVE-2017-0199 and CVE-2017-11882) and execute JavaScript code that loads a PowerShell script. This script, in turn, initiates a loader to retrieve Agent Tesla from a remote server.
According to security researcher Xiaopeng Zhang, “This variant gathers credentials and email contacts from the victim’s device, as well as the software used to extract data and the basic details of the victim’s device. Agent Tesla can also retrieve the victim’s email contacts if Thunderbird is their email client.”
About Author
