An ongoing cyber campaign has been targeting Chinese-speaking users with a sophisticated malware known as ValleyRAT, attributed to the Silver Fox group. ValleyRAT is a multi-stage malware that uses various techniques to monitor, control, and deploy plugins on victim systems. One of its most notable features is the use of shellcode, which allows the malware to execute its components directly in memory, greatly reducing its file footprint and making it harder to detect. This malware is primarily designed to function stealthily, minimizing traces and remaining under the radar while continuing its malicious activities on compromised systems.
The attack begins with a first-stage loader, which masquerades as legitimate applications, such as Microsoft Office files, to trick users into executing the malware. Once the loader is run, it drops a decoy document while loading shellcode that advances the infection process. It then contacts a command-and-control (C2) server to download additional components like RuntimeBroker and RemoteShellcode. These components help escalate privileges on the infected system, ensuring the malware gains administrator-level access. The malware also uses techniques such as UAC bypass and exploits the CMSTPLUA COM interface to gain greater control over the system, similar to tactics used by other recent ransomware campaigns.
To further ensure its persistence, ValleyRAT takes steps to disable security defenses, including Microsoft Defender Antivirus. The malware creates exclusion rules for antivirus software and terminates security processes based on matching executable filenames, thus allowing it to evade detection and remain active. The second-stage loader, once downloaded, also uses shellcode to establish a secure link to the C2 server and execute the infection process again, ensuring the system remains compromised. Additionally, the malware checks the Windows Registry for keys related to Chinese applications like Tencent WeChat and Alibaba DingTalk, suggesting the malware specifically targets Chinese systems.
ValleyRAT is a fully-featured backdoor that gives threat actors the ability to remotely control infected workstations. It can take screenshots, execute arbitrary files, and load additional malicious plugins to further the attackers’ objectives. The malware operates in a multi-stage process, making it difficult to detect and neutralize. This attack is part of a broader trend of malspam campaigns exploiting old vulnerabilities, including CVE-2017-0199, to deliver remote access tools (RATs) like GuLoader, Remcos RAT, and Sankeloader. Symantec’s research indicates that these exploits are still actively used to deliver malicious payloads in ongoing campaigns.
Reference:
