Revived ValleyRAT Malware Exhibits Enhanced Data Theft Techniques
June 11, 2024
Researchers at Zscaler ThreatLabz have discovered an updated version of the ValleyRAT malware being disseminated as part of a fresh campaign. "In the latest version, ValleyRAT introduced new commands, such as capturing screenshots, process filtering, forced shutdown, and clearing Windows event logs," said researchers Muhammed Irfan V A and Manisha Ramcharan Prajapati. The malware was first identified by QiAnXin and Proofpoint in 2023 during a phishing campaign targeting Chinese-speaking users and Japanese organizations. It was found distributing different malware families such as Purple Fox and a variant of the Gh0st RAT trojan referred to as Sainbox RAT (aka FatalRAT). The malware is believed to be the handiwork of a threat actor based in China, and possesses the ability to gather sensitive information and deliver extra payloads onto breached systems.
The malware commences its operation with a downloader that employs an HTTP File Server (HFS) to fetch a file named "NTUSER.DXM" that is decoded to extract a DLL file, which is then used to download "client.exe" from the same server. The decrypted DLL is also programmed to identify and terminate anti-malware solutions from Qihoo 360 and WinRAR in a bid to avoid analysis. Subsequently, the downloader retrieves three more files – "WINWORD2013.EXE," "wwlib.dll," and "xig.ppt" – from the HFS server. The malware then initiates "WINWORD2013.EXE," a legitimate executable linked with Microsoft Word, using it to sideload "wwlib.dll" that subsequently establishes persistence on the system and loads "xig.ppt" into memory.
The researchers noted that, "From here, the decrypted 'xig.ppt' continues the execution process as a mechanism to decrypt and inject shellcode into svchost.exe. The malware creates svchost.exe as a suspended process, allocates memory within the process, and writes shellcode there." The shellcode contains the necessary configuration to communicate with a command-and-control (C2) server and download the ValleyRAT payload in the form of a DLL file. "ValleyRAT utilizes a convoluted multi-stage process to infect a system with the final payload that performs the majority of the malicious operations. This staged approach combined with DLL side-loading are likely designed to better evade host-based security solutions such as EDRs and anti-virus applications."
In related news, Fortinet FortiGuard Labs have uncovered a phishing campaign that targets Spanish-speaking individuals with an updated version of a keylogger and information stealer named Agent Tesla. This attack chain leverages Microsoft Excel Add-Ins (XLA) file attachments that exploit known security flaws (CVE-2017-0199 and CVE-2017-11882) to trigger the execution of JavaScript code that loads a PowerShell script, which is engineered to launch a loader in order to retrieve Agent Tesla from a remote server. "This variant collects credentials and email contacts from the victim's device, the software from which it collects the data, and the basic information of the victim's device," security researcher Xiaopeng Zhang said. "Agent Tesla can also collect the victim's email contacts if they use Thunderbird as their email client."
Related News
- Rise in USB-Based Cyberattacks on Operational Technology Systems
- Ukraine Targeted by Exploitation of Seven-Year-Old Microsoft Office Vulnerability
- TA558 Cybercriminals Exploit Images for Broad Malware Attacks
- Cyber Attackers Utilize Old Microsoft Office Vulnerability to Disseminate Spyware
- APT34 Linked to New Phishing Attacks Deploying SideTwist Backdoor and Agent Tesla Variant
Latest News
- Chinese Cyber-Espionage Campaign Breaches 20,000 FortiGate Systems Globally: MIVD
- TellYouThePass Ransomware Gang Exploits New PHP RCE Flaw to Infiltrate Servers
- Arm Warns of Actively Exploited Vulnerability in Mali GPU Kernel Drivers
- Unpatchable Vulnerabilities Discovered in Netgear WNR614 Router
- Veeam Backup Enterprise Manager's Critical Authentication Bypass Flaw: Public Exploit Available
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.