Revived ValleyRAT Malware Exhibits Enhanced Data Theft Techniques

June 11, 2024

Researchers at Zscaler ThreatLabz have discovered an updated version of the ValleyRAT malware being disseminated as part of a fresh campaign. "In the latest version, ValleyRAT introduced new commands, such as capturing screenshots, process filtering, forced shutdown, and clearing Windows event logs," said researchers Muhammed Irfan V A and Manisha Ramcharan Prajapati. The malware was first identified by QiAnXin and Proofpoint in 2023 during a phishing campaign targeting Chinese-speaking users and Japanese organizations. It was found distributing different malware families such as Purple Fox and a variant of the Gh0st RAT trojan referred to as Sainbox RAT (aka FatalRAT). The malware is believed to be the handiwork of a threat actor based in China, and possesses the ability to gather sensitive information and deliver extra payloads onto breached systems.

The malware commences its operation with a downloader that employs an HTTP File Server (HFS) to fetch a file named "NTUSER.DXM" that is decoded to extract a DLL file, which is then used to download "client.exe" from the same server. The decrypted DLL is also programmed to identify and terminate anti-malware solutions from Qihoo 360 and WinRAR in a bid to avoid analysis. Subsequently, the downloader retrieves three more files – "WINWORD2013.EXE," "wwlib.dll," and "xig.ppt" – from the HFS server. The malware then initiates "WINWORD2013.EXE," a legitimate executable linked with Microsoft Word, using it to sideload "wwlib.dll" that subsequently establishes persistence on the system and loads "xig.ppt" into memory.

The researchers noted that, "From here, the decrypted 'xig.ppt' continues the execution process as a mechanism to decrypt and inject shellcode into svchost.exe. The malware creates svchost.exe as a suspended process, allocates memory within the process, and writes shellcode there." The shellcode contains the necessary configuration to communicate with a command-and-control (C2) server and download the ValleyRAT payload in the form of a DLL file. "ValleyRAT utilizes a convoluted multi-stage process to infect a system with the final payload that performs the majority of the malicious operations. This staged approach combined with DLL side-loading are likely designed to better evade host-based security solutions such as EDRs and anti-virus applications."

In related news, Fortinet FortiGuard Labs have uncovered a phishing campaign that targets Spanish-speaking individuals with an updated version of a keylogger and information stealer named Agent Tesla. This attack chain leverages Microsoft Excel Add-Ins (XLA) file attachments that exploit known security flaws (CVE-2017-0199 and CVE-2017-11882) to trigger the execution of JavaScript code that loads a PowerShell script, which is engineered to launch a loader in order to retrieve Agent Tesla from a remote server. "This variant collects credentials and email contacts from the victim's device, the software from which it collects the data, and the basic information of the victim's device," security researcher Xiaopeng Zhang said. "Agent Tesla can also collect the victim's email contacts if they use Thunderbird as their email client."

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.