ValleyRAT Malware Campaign Targets Chinese Users with Sophisticated Techniques

August 16, 2024

Researchers from Fortinet FortiGuard Labs, Eduardo Altares and Joie Salvio, have reported an ongoing malware campaign targeting Chinese-speaking users. The campaign distributes a multi-stage malware known as ValleyRAT, which uses a variety of techniques to monitor and control its victims, as well as deploy additional plugins for further damage. The malware is noted for its extensive use of shellcode to execute its components directly in memory, reducing its file footprint on the victim's system.

The campaign was first identified in June 2024, when Zscaler ThreatLabz detailed attacks involving an updated version of ValleyRAT. The distribution method for the latest iteration of the malware remains unknown, but previous campaigns have used email messages containing URLs that lead to compressed executables.

The attack sequence begins with a first-stage loader that impersonates legitimate applications like Microsoft Office to appear harmless. The executable drops a decoy document and loads the shellcode to advance to the next phase of the attack. The loader also verifies that it's not running in a virtual machine.

The shellcode initiates a beaconing module that contacts a command-and-control (C2) server to download two components – RuntimeBroker and RemoteShellcode. It also sets persistence on the host and gains administrator privileges by exploiting a legitimate binary named fodhelper.exe, achieving a UAC bypass. Another method for privilege escalation involves abusing the CMSTPLUA COM interface, a technique previously used by threat actors connected to the Avaddon ransomware and seen in recent Hijack Loader campaigns.

To ensure the malware runs without interruption, it sets exclusion rules for Microsoft Defender Antivirus and terminates various antivirus-related processes based on matching executable filenames. The primary task of RuntimeBroker is to retrieve a component named Loader from the C2 server, which functions similarly to the first-stage loader and executes the beaconing module to repeat the infection process. The Loader payload also conducts checks to determine if it's running in a sandbox and scans the Windows Registry for keys related to apps like Tencent WeChat and Alibaba DingTalk, supporting the theory that the malware primarily targets Chinese systems.

RemoteShellcode is configured to fetch the ValleyRAT downloader from the C2 server, which then uses UDP or TCP sockets to connect to the server and receive the final payload. ValleyRAT, attributed to a threat group called Silver Fox, is a comprehensive backdoor capable of remotely controlling compromised workstations. It has the ability to take screenshots, execute files, and load additional plugins on the victim system.

Ongoing malspam campaigns are attempting to exploit an old Microsoft Office vulnerability (CVE-2017-0199) to execute malicious code and deliver GuLoader, Remcos RAT, and Sankeloader. According to Broadcom-owned Symantec, "CVE-2017-0199 is still targeted to allow for execution of remote code from within an XLS file. The campaigns delivered a malicious XLS file with a link from which a remote HTA or RTF file would be executed to download the final payload."

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.