A new sophisticated ValleyRAT campaign has been targeting Chinese systems. Uncovered by FortiGuard Labs, the campaign affects Windows users, allowing the threat actors to control compromised machines.
ValleyRAT Malware and Its Targets
ValleyRAT has mainly targeted e-commerce, finance, sales and management enterprises. The malware uses multiple stages and techniques to monitor and control its victims, employing arbitrary and specific plugins to cause additional damage.
FortiGuard observed a campaign that uses heavy shellcodes to execute its components directly in memory, significantly reducing its footprint on the victim’s system.
ValleyRAT employs icons of legitimate applications, including Microsoft Office, to make malicious files appear harmless. The filenames are also created to look like financial documents.
Once executed, ValleyRAT creates a mutex named TEST to ensure a single instance runs. It then alters specific registry entries to store the IP and port of its command-and-control (C2) server, allowing it to communicate with the attacker’s servers.
The malware further attempts to evade detection by determining whether it is operating within a virtual machine (VM), and if so, it terminates its processes.
Advanced Techniques for Evasion and Execution
ValleyRAT employs sleep obfuscation techniques, which involve modifying the permissions of allocated memory where malicious code lives to avoid detection by memory scanners. It also uses an XOR operation to encode the shellcode, adding one more layer of complexity that further challenges pattern-based security signatures.
Additionally, the malware relies on reflective DLL loading to run its components directly from memory. After initialization, the malware decrypts the shellcode using the AES-256 algorithm and executes this code through a sleep obfuscation routine. ValleyRAT also utilizes API hashing to obfuscate the API names it employs, complicating the detection process.
Potential Connection to Silver Fox
ValleyRAT’s advanced evasion techniques and targeted attacks on Chinese systems indicate a strategic approach by threat actors, potentially linked to advanced persistent threat (APT) groups like “Silver Fox.”
The malware’s capabilities to monitor user activities and deliver additional malicious plugins underscore its significant threat to enterprise security.
“This malware involves several components loaded in different stages and mainly uses shellcode to execute them directly in memory, significantly reducing its file trace in the system,” FortiGuard said.
“Once the malware gains a foothold in the system, it supports commands capable of monitoring the victim’s activities and delivering arbitrary plugins to further the threat actors’ intentions.”
Organizations should keep antivirus and intrusion prevention system (IPS) signatures current and ensure their employees undergo security awareness training to tackle threats like this.
Reference:
Advanced ValleyRAT Campaign Hits Windows Users in China
Latest Blogs
- #CyberMonth: Software Updates, A Double-Edged Sword for Cybersecurity Professionals
Software updates are critical in protecting systems from cyber threats and providing new and improved functionality to software products. They are necessary to patch vulnerabilities that can be exploited by malicious actors, ensuring that systems remain secure. Software updates are one of the four pillars of the 2024 International Cybersecurity Awareness Month campaign. As part … - Universal Music Group Admits Data Breach
Universal Music Group (UMG), one of the world’s largest music corporations, disclosed a data breach in mid-July 2024. According to a filing with the Maine Attorney General’s Office, the breach may have exposed the personal information of 680 US residents. In the filing, UMG said it detected unauthorized activity in one of its internal applications on July 15, … - Sellafield Fined for Cybersecurity Failures at Nuclear Site
Sellafield Ltd. has been fined £332,500 ($437,440) for cybersecurity failures at the Sellafield nuclear facility in Cumbria, North-West England. Westminster Magistrates Court issued the fine following a prosecution brought by the Office for Nuclear Regulation (ONR), the UK’s independent nuclear regulator. Sellafield Ltd has also been ordered to pay prosecution costs of £53,253.20 ($70,060). The offences … - Ransomware Attack Forces UMC to Divert Emergency Patients
The University Medical Center (UMC) Health System in Lubbock, Texas, has confirmed a ransomware attack that disrupted its IT infrastructure last week, forcing the diversion of emergency and non-emergency patients. UMC, the only level 1 trauma centre within 400 miles, faced significant operational challenges, with phone systems down and the patient portal inaccessible. Despite this, … - British Hacker Charged in the US For $3.75m Insider Trading Scheme
A British hacker accused of orchestrating a $3.75m insider trading scheme has been charged in the US. Robert Westbrook, 39, allegedly gained unauthorized access to corporate executives’ email accounts to profit from confidential financial information. US authorities arrested Westbrook last week in London, and he is awaiting extradition to face multiple charges, including securities fraud …
