Written by 2:17 pm Security News

Advanced ValleyRAT Campaign Hits Windows Users in China

ValleyRAT Campaign Hits Windows Users in China

A new sophisticated ValleyRAT campaign has been targeting Chinese systems. Uncovered by FortiGuard Labs, the campaign affects Windows users, allowing the threat actors to control compromised machines.

ValleyRAT Malware and Its Targets

ValleyRAT has mainly targeted e-commerce, finance, sales and management enterprises. The malware uses multiple stages and techniques to monitor and control its victims, employing arbitrary and specific plugins to cause additional damage.

FortiGuard observed a campaign that uses heavy shellcodes to execute its components directly in memory, significantly reducing its footprint on the victim’s system.

ValleyRAT employs icons of legitimate applications, including Microsoft Office, to make malicious files appear harmless. The filenames are also created to look like financial documents.

Once executed, ValleyRAT creates a mutex named TEST to ensure a single instance runs. It then alters specific registry entries to store the IP and port of its command-and-control (C2) server, allowing it to communicate with the attacker’s servers.

The malware further attempts to evade detection by determining whether it is operating within a virtual machine (VM), and if so, it terminates its processes.

Advanced Techniques for Evasion and Execution

ValleyRAT employs sleep obfuscation techniques, which involve modifying the permissions of allocated memory where malicious code lives to avoid detection by memory scanners. It also uses an XOR operation to encode the shellcode, adding one more layer of complexity that further challenges pattern-based security signatures.

Additionally, the malware relies on reflective DLL loading to run its components directly from memory. After initialization, the malware decrypts the shellcode using the AES-256 algorithm and executes this code through a sleep obfuscation routine. ValleyRAT also utilizes API hashing to obfuscate the API names it employs, complicating the detection process.

Potential Connection to Silver Fox

ValleyRAT’s advanced evasion techniques and targeted attacks on Chinese systems indicate a strategic approach by threat actors, potentially linked to advanced persistent threat (APT) groups like “Silver Fox.” 

The malware’s capabilities to monitor user activities and deliver additional malicious plugins underscore its significant threat to enterprise security.

“This malware involves several components loaded in different stages and mainly uses shellcode to execute them directly in memory, significantly reducing its file trace in the system,” FortiGuard said.

“Once the malware gains a foothold in the system, it supports commands capable of monitoring the victim’s activities and delivering arbitrary plugins to further the threat actors’ intentions.”

Organizations should keep antivirus and intrusion prevention system (IPS) signatures current and ensure their employees undergo security awareness training to tackle threats like this.

Reference:

Advanced ValleyRAT Campaign Hits Windows Users in China

Latest Blogs

  • Highline Public Schools Forced to Close By Cyber-Attack
    A cyber-attack forced a group of schools in the US Pacific Northwest to close for at least two days. Highline Public Schools has more than 17,500 students in grades K-12. The district has 34 schools and 2,000 staff in Washington State. On Sunday, the school district reported that it had suffered a cyber-attack and that …
  • Cyber-Attack on Payment Gateway Exposes 1.7 Million Credit Card Details
    Electronic payment gateway Slim CD has been hit by a cyber-attack, potentially exposing the credit card details of 1.7 million individuals. The firm, which handles electronic payments for US and Canadian-based merchants, revealed that it became aware of suspicious activity in its computer environment around June 15, 2024. A subsequent investigation identified system access between …
  • Most Targeted DDoS Attacks Double With Governments
    New research says the number of distributed denial of service (DDoS) attacks continues to grow, doubling year over year (YoY). According to StormWall’s DDoS Attacks Report, attacks globally rose by 102% in the first half of this year compared to 2023. The government sector was the most brutal hit, with a 116% YoY increase. StormWall says …
  • Ransomware Attacks Exposed 6.7 Million Records in US Schools
    Ransomware attacks on US schools and colleges have surged in recent years, with 491 incidents recorded since 2018. These attacks impacted over 8,000 educational institutions and exposed 6.7 million individual records. According to a new report by Comparitech, estimated costs exceed $2.5b in downtime alone as schools struggle to restore systems, recover data and strengthen cybersecurity measures. …
  • Georgia Tech Sued Over Cybersecurity Violations
    The US government has filed a lawsuit against the Georgia Institute of Technology (Georgia Tech) and its affiliate Georgia Tech Research Corporation (GTRC) for alleged cybersecurity violations. The Department of Justice (DoJ) has joined a whistleblower to file a “complaint-in-intervention” against the institutions for “knowingly” failing to implement cybersecurity controls as required by their Department of Defense (DoD) contract. This contract related to …