ValleyRAT | |
Type of Malware | RAT |
Country of Origin | China |
Date of initial activity | 2023 |
Associated Groups | Unknown |
Targeted Countries | Unknown |
Motivation | Infiltrate and compromise systems, providing remote attackers with unauthorized access and control over infected machines |
Attack vectors | Phishing emails or malicious downloads |
Tools | Unknown |
Targeted systems | Windows |
Overview
ValleyRAT, first documented by the Chinese cybersecurity firm Qi An Xin in February 2023, is written in C++ and harbors functionalities traditionally seen in remote access trojans, such as fetching and executing additional payloads (DLLs and binaries) from a remote server and enumerating running processes.
Its primary objective is to infiltrate and compromise systems, granting unauthorized access and control to remote attackers. ValleyRAT typically spreads through phishing emails or malicious downloads.
Developed by a threat group based in China, ValleyRAT undergoes continuous updates, enhancing its capabilities such as capturing screenshots, filtering processes, forced shutdowns, and clearing Windows event logs. Employing a complex multistage process, ValleyRAT infects systems with a final payload responsible for executing most malicious activities. This staged approach, combined with DLL sideloading, aims to evade host-based security solutions like EDRs and antivirus applications.
Targets
Chinese-language speakers
How they operate
The latest campaign deploying the ValleyRAT malware encompasses several stages:
First stage: Downloader
ValleyRAT employs an initial stage downloader to fetch five files from an HFS server (used later for C2 communications). Initially, the downloader checks for the presence of the file NTUSER.DXM. If absent, it downloads it from the web, decrypts it using XOR and RC4 decryption, and proceeds to retrieve client.exe from the HFS server if the directory C:\Program Files\TCLS doesn’t exist. The decrypted DLL includes an anti-AV check and downloads WINWORD2013.EXE, wwlib.dll, and xig.ppt from the HFS server. Finally, it executes WINWORD2013.EXE with administrative privileges, initiating the second stage.
Second stage: Loader (wwlib.dll)
WINWORD2013.EXE is utilized to sideload a malicious DLL, wwlib.dll. This DLL, acting as a loader, checks for the presence of xig.ppt, decrypts it, and continues execution to inject shellcode into svchost.exe.
Persistence
The second stage establishes persistence by adding C:\Users\WINWORD2013.EXE to the autorun key and setting attributes of relevant files to FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN.
Third stage: Injected shellcode
The injected shellcode configures connections with the C2 server and resolves APIs dynamically using a BKDR hashing algorithm.
Fourth stage: DLL received from the C2
Reflectively loading an embedded DLL from decrypted C2 data into memory, this stage executes DLL entrypoint and load functions. It parses configuration data, checks for the final payload’s presence, and downloads it if necessary.
Final Payload
The final payload is ValleyRAT, initially identified by Qi An Xin and attributed to the threat actor The Great Thief of Valley, also known as Silver Fox.
Significant Malware Campaigns
- Proofpoint observed an increase in the email distribution of malware associated with suspected Chinese cybercrime activity. This includes the attempted delivery of the Sainbox Remote Access Trojan (RAT) – a variant of the commodity trojan Gh0stRAT – and the newly identified ValleyRAT malware. (September 2023)
