Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

ValleyRAT (Remote Access Trojan) – Malware

June 14, 2024
Reading Time: 10 mins read
in Malware
ValleyRAT (Remote Access Trojan) – Malware

ValleyRAT

Type of Malware

RAT

Country of Origin

China

Date of initial activity

2023

Associated Groups

Unknown

Targeted Countries

Unknown

Motivation

Infiltrate and compromise systems, providing remote attackers with unauthorized access and control over infected machines

Attack vectors

Phishing emails or malicious downloads

Tools

Unknown

Targeted systems

Windows

Overview

ValleyRAT, first documented by the Chinese cybersecurity firm Qi An Xin in February 2023, is written in C++ and harbors functionalities traditionally seen in remote access trojans, such as fetching and executing additional payloads (DLLs and binaries) from a remote server and enumerating running processes. Its primary objective is to infiltrate and compromise systems, granting unauthorized access and control to remote attackers. ValleyRAT typically spreads through phishing emails or malicious downloads. Developed by a threat group based in China, ValleyRAT undergoes continuous updates, enhancing its capabilities such as capturing screenshots, filtering processes, forced shutdowns, and clearing Windows event logs. Employing a complex multistage process, ValleyRAT infects systems with a final payload responsible for executing most malicious activities. This staged approach, combined with DLL sideloading, aims to evade host-based security solutions like EDRs and antivirus applications.

Targets

Chinese-language speakers

How they operate

The latest campaign deploying the ValleyRAT malware encompasses several stages: First stage: Downloader ValleyRAT employs an initial stage downloader to fetch five files from an HFS server (used later for C2 communications). Initially, the downloader checks for the presence of the file NTUSER.DXM. If absent, it downloads it from the web, decrypts it using XOR and RC4 decryption, and proceeds to retrieve client.exe from the HFS server if the directory C:\Program Files\TCLS doesn’t exist. The decrypted DLL includes an anti-AV check and downloads WINWORD2013.EXE, wwlib.dll, and xig.ppt from the HFS server. Finally, it executes WINWORD2013.EXE with administrative privileges, initiating the second stage. Second stage: Loader (wwlib.dll) WINWORD2013.EXE is utilized to sideload a malicious DLL, wwlib.dll. This DLL, acting as a loader, checks for the presence of xig.ppt, decrypts it, and continues execution to inject shellcode into svchost.exe. Persistence The second stage establishes persistence by adding C:\Users\WINWORD2013.EXE to the autorun key and setting attributes of relevant files to FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN. Third stage: Injected shellcode The injected shellcode configures connections with the C2 server and resolves APIs dynamically using a BKDR hashing algorithm. Fourth stage: DLL received from the C2 Reflectively loading an embedded DLL from decrypted C2 data into memory, this stage executes DLL entrypoint and load functions. It parses configuration data, checks for the final payload’s presence, and downloads it if necessary. Final Payload The final payload is ValleyRAT, initially identified by Qi An Xin and attributed to the threat actor The Great Thief of Valley, also known as Silver Fox.

Significant Malware Campaigns

  • Proofpoint observed an increase in the email distribution of malware associated with suspected Chinese cybercrime activity. This includes the attempted delivery of the Sainbox Remote Access Trojan (RAT) – a variant of the commodity trojan Gh0stRAT – and the newly identified ValleyRAT malware. (September 2023)
References:
  • Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape
  • Technical Analysis of the Latest Variant of ValleyRAT
  • Don’t follow the footsteps of the 4 billion data leak incident! Warning of attacks on the financial and securities industries
Tags: AlgorithmAPIChinaDLLDownloaderMalwareRATRemote Access TrojansSilver FoxTrojansValleyRAT
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

SAP S4hana Exploited Vulnerability

Virustotal Finds Undetected SVG Files

Russian APT28 Deploys Outlook Backdoor

CISA Flags TP Link Router Flaws

Lazarus Hackers Exploit ZeroDay, Deploy Rats

Google Patches 120 Flaws In Android

Subscribe to our newsletter

    Latest Incidents

    North Korean Hackers Fake Interviews

    Bridgestone Confirms Cyberattack

    Cybersecurity Firms Hit By Breach

    Salesloft Drift Attacks Hits Vendors

    Jaguar Land Rover Hit By Cyber Incident

    Hackers Use Grok Ai To Spread Malware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial