ValleyRAT (Remote Access Trojan) – Malware

Overview

ValleyRAT, first documented by the Chinese cybersecurity firm Qi An Xin in February 2023, is written in C++ and harbors functionalities traditionally seen in remote access trojans, such as fetching and executing additional payloads (DLLs and binaries) from a remote server and enumerating running processes. Its primary objective is to infiltrate and compromise systems, granting unauthorized access and control to remote attackers. ValleyRAT typically spreads through phishing emails or malicious downloads. Developed by a threat group based in China, ValleyRAT undergoes continuous updates, enhancing its capabilities such as capturing screenshots, filtering processes, forced shutdowns, and clearing Windows event logs. Employing a complex multistage process, ValleyRAT infects systems with a final payload responsible for executing most malicious activities. This staged approach, combined with DLL sideloading, aims to evade host-based security solutions like EDRs and antivirus applications.

Targets

Chinese-language speakers

How they operate

The latest campaign deploying the ValleyRAT malware encompasses several stages: First stage: Downloader ValleyRAT employs an initial stage downloader to fetch five files from an HFS server (used later for C2 communications). Initially, the downloader checks for the presence of the file NTUSER.DXM. If absent, it downloads it from the web, decrypts it using XOR and RC4 decryption, and proceeds to retrieve client.exe from the HFS server if the directory C:\Program Files\TCLS doesn’t exist. The decrypted DLL includes an anti-AV check and downloads WINWORD2013.EXE, wwlib.dll, and xig.ppt from the HFS server. Finally, it executes WINWORD2013.EXE with administrative privileges, initiating the second stage. Second stage: Loader (wwlib.dll) WINWORD2013.EXE is utilized to sideload a malicious DLL, wwlib.dll. This DLL, acting as a loader, checks for the presence of xig.ppt, decrypts it, and continues execution to inject shellcode into svchost.exe. Persistence The second stage establishes persistence by adding C:\Users\WINWORD2013.EXE to the autorun key and setting attributes of relevant files to FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN. Third stage: Injected shellcode The injected shellcode configures connections with the C2 server and resolves APIs dynamically using a BKDR hashing algorithm. Fourth stage: DLL received from the C2 Reflectively loading an embedded DLL from decrypted C2 data into memory, this stage executes DLL entrypoint and load functions. It parses configuration data, checks for the final payload’s presence, and downloads it if necessary. Final Payload The final payload is ValleyRAT, initially identified by Qi An Xin and attributed to the threat actor The Great Thief of Valley, also known as Silver Fox.

Significant Malware Campaigns

• Proofpoint observed an increase in the email distribution of malware associated with suspected Chinese cybercrime activity. This includes the attempted delivery of the Sainbox Remote Access Trojan (RAT) – a variant of the commodity trojan Gh0stRAT – and the newly identified ValleyRAT malware. (September 2023)

References:

• Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape
• Technical Analysis of the Latest Variant of ValleyRAT
• Don’t follow the footsteps of the 4 billion data leak incident! Warning of attacks on the financial and securities industries