Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

ValleyRAT (Remote Access Trojan) – Malware

June 14, 2024
Reading Time: 10 mins read
in Malware
ValleyRAT (Remote Access Trojan) – Malware

ValleyRAT

Type of Malware

RAT

Country of Origin

China

Date of initial activity

2023

Associated Groups

Unknown

Targeted Countries

Unknown

Motivation

Infiltrate and compromise systems, providing remote attackers with unauthorized access and control over infected machines

Attack vectors

Phishing emails or malicious downloads

Tools

Unknown

Targeted systems

Windows

Overview

ValleyRAT, first documented by the Chinese cybersecurity firm Qi An Xin in February 2023, is written in C++ and harbors functionalities traditionally seen in remote access trojans, such as fetching and executing additional payloads (DLLs and binaries) from a remote server and enumerating running processes. Its primary objective is to infiltrate and compromise systems, granting unauthorized access and control to remote attackers. ValleyRAT typically spreads through phishing emails or malicious downloads. Developed by a threat group based in China, ValleyRAT undergoes continuous updates, enhancing its capabilities such as capturing screenshots, filtering processes, forced shutdowns, and clearing Windows event logs. Employing a complex multistage process, ValleyRAT infects systems with a final payload responsible for executing most malicious activities. This staged approach, combined with DLL sideloading, aims to evade host-based security solutions like EDRs and antivirus applications.

Targets

Chinese-language speakers

How they operate

The latest campaign deploying the ValleyRAT malware encompasses several stages: First stage: Downloader ValleyRAT employs an initial stage downloader to fetch five files from an HFS server (used later for C2 communications). Initially, the downloader checks for the presence of the file NTUSER.DXM. If absent, it downloads it from the web, decrypts it using XOR and RC4 decryption, and proceeds to retrieve client.exe from the HFS server if the directory C:\Program Files\TCLS doesn’t exist. The decrypted DLL includes an anti-AV check and downloads WINWORD2013.EXE, wwlib.dll, and xig.ppt from the HFS server. Finally, it executes WINWORD2013.EXE with administrative privileges, initiating the second stage. Second stage: Loader (wwlib.dll) WINWORD2013.EXE is utilized to sideload a malicious DLL, wwlib.dll. This DLL, acting as a loader, checks for the presence of xig.ppt, decrypts it, and continues execution to inject shellcode into svchost.exe. Persistence The second stage establishes persistence by adding C:\Users\WINWORD2013.EXE to the autorun key and setting attributes of relevant files to FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN. Third stage: Injected shellcode The injected shellcode configures connections with the C2 server and resolves APIs dynamically using a BKDR hashing algorithm. Fourth stage: DLL received from the C2 Reflectively loading an embedded DLL from decrypted C2 data into memory, this stage executes DLL entrypoint and load functions. It parses configuration data, checks for the final payload’s presence, and downloads it if necessary. Final Payload The final payload is ValleyRAT, initially identified by Qi An Xin and attributed to the threat actor The Great Thief of Valley, also known as Silver Fox.

Significant Malware Campaigns

  • Proofpoint observed an increase in the email distribution of malware associated with suspected Chinese cybercrime activity. This includes the attempted delivery of the Sainbox Remote Access Trojan (RAT) – a variant of the commodity trojan Gh0stRAT – and the newly identified ValleyRAT malware. (September 2023)
References:
  • Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape
  • Technical Analysis of the Latest Variant of ValleyRAT
  • Don’t follow the footsteps of the 4 billion data leak incident! Warning of attacks on the financial and securities industries
Tags: AlgorithmAPIChinaDLLDownloaderMalwareRATRemote Access TrojansSilver FoxTrojansValleyRAT
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial