Cybersecurity researchers have uncovered an updated version of the malware called ValleyRAT, which is being distributed as part of a new campaign. According to Zscaler ThreatLabz researchers, the latest version of ValleyRAT introduces new commands, such as capturing screenshots, process filtering, forced shutdown, and clearing Windows event logs. Previously documented by QiAnXin and Proofpoint in 2023, ValleyRAT has been linked to a phishing campaign targeting Chinese-speaking users and Japanese organizations, distributing various malware families such as Purple Fox and Sainbox RAT (aka FatalRAT).
ValleyRAT is attributed to a China-based threat actor, with capabilities to harvest sensitive information and drop additional payloads onto compromised hosts. The infection starts with a downloader that uses an HTTP File Server (HFS) to fetch a file named “NTUSER.DXM,” which is decoded to extract a DLL file responsible for downloading “client.exe” from the same server. The decrypted DLL detects and terminates anti-malware solutions from Qihoo 360 and WinRAR to evade analysis, then retrieves three more files – “WINWORD2013.EXE,” “wwlib.dll,” and “xig.ppt” – from the HFS server.
The malware proceeds by launching “WINWORD2013.EXE,” a legitimate executable associated with Microsoft Word, using it to sideload “wwlib.dll” that establishes persistence on the system and loads “xig.ppt” into memory. From this point, the decrypted “xig.ppt” decrypts and injects shellcode into “svchost.exe,” creating it as a suspended process, allocating memory, and writing shellcode within it. The shellcode contains configuration to contact a command-and-control (C2) server and download the ValleyRAT payload in the form of a DLL file.
ValleyRAT utilizes a convoluted multi-stage process to infect a system with the final payload that performs most of the malicious operations. This staged approach, combined with DLL side-loading, is designed to evade host-based security solutions such as EDRs and anti-virus applications. The development comes as Fortinet FortiGuard Labs uncovered a separate phishing campaign targeting Spanish-speaking individuals with an updated version of the keylogger and information stealer Agent Tesla, highlighting the continuously evolving landscape of cyber threats.
Reference:
