A newly discovered variant of the ValleyRAT malware is making waves in the cybersecurity world. This sophisticated threat employs advanced evasion techniques, multi-stage infection chains, and innovative delivery methods to target high-value individuals in organizations.

Unveiling the ValleyRAT Threat

Researchers from the Morphisec Threat Lab have identified a new version of ValleyRAT, a complex malware linked to the infamous Silver Fox APT group. This variant is distributed through multiple channels, including phishing emails, instant messaging, and compromised websites. The primary targets are individuals in finance, accounting, and sales, with the aim of stealing sensitive data.

Infection Chain Analysis

Previous iterations of ValleyRAT used PowerShell scripts masquerading as legitimate software installers, often employing DLL hijacking techniques. These scripts injected their payload into signed executables from applications like WPS Office and Firefox. In contrast, the current version leverages a fake website of a Chinese telecom company, "Karlos," to distribute the malware.

  • Initial Infection Vector: A fake Chrome browser download from anizomcom/ tricks users into executing the malware.
  • Payload Injection: The sscronet.dll file injects code into the svchost.exe process, terminating processes on an exclusion list to avoid detection.

Advanced Evasion Techniques

The malware uses a modified Douyin executable for DLL side-loading and a legitimate Tier0.dll from Valve games to execute hidden code. This code retrieves and decrypts the main ValleyRAT payload using Donut shellcode, allowing it to run in memory and bypass disk-based detection methods.

Technical Specifications

ValleyRAT is a C++-based remote access trojan with functionalities such as screen, keyboard, and mouse interaction. It includes extensive anti-VMware checks to evade detection in virtualized environments and connects to its C2 server using hardcoded IP addresses and ports.

  • Network Communication: Attempts to connect to baidu.com if not running in a virtual machine.
  • Security Evasion: Disables security mechanisms like AMSI and ETW.
The link has been copied!