August 16, 2024Ravie LakshmananCyber ​​attack / Malware

Chinese-speaking users are being targeted in an ongoing campaign spreading malware known as ValleyRAT.

“ValleyRAT is a multi-stage malware that uses multiple techniques to monitor and control its victims, as well as deploy random plugins to cause further damage,” said Eduardo Altares and Joie Salvio, researchers at Fortinet FortiGuard Labs.

“Another notable feature of this malware is its extensive use of shellcode to execute its many components directly in memory, significantly reducing the file footprint on the victim’s system.”

Details of the campaign first emerged in June 2024, when Zscaler ThreatLabz detailed attacks using an updated version of the malware.

How exactly the latest version of ValleyRAT is being distributed is currently unknown. However, previous campaigns have used emails with URLs pointing to compressed executable files.

The attack sequence consists of multiple stages and starts with a first-stage loader that imitates legitimate applications such as Microsoft Office to make them appear harmless (for example, “工商年报大师.exe” or “补单对接更新记录txt.exe” ).

Launching the executable causes the decoy document to be removed and the shellcode to be loaded to proceed to the next phase of the attack. The loader also takes steps to validate that it is not running in a virtual machine.

The shellcode is responsible for initiating a beacon module that contacts a command-and-control (C2) server to download two components – RuntimeBroker and RemoteShellcode – in addition to establishing persistence on the host and gaining administrative privileges by exploiting a legitimate binary named fodhelper.exe and achieving UAC bypass.

The second method used for privilege escalation involves the abuse of the CMSTPLUA COM interface, a technique previously employed by attackers associated with the Avaddon ransomware and also observed in recent Hijack Loader campaigns.

To ensure that the malware can run unhindered on the computer, exclusion rules are configured for Microsoft Defender Antivirus and various antivirus-related processes are terminated based on matching executable file names.

The primary task of RuntimeBroker is to retrieve a component called Loader from the C2 server. This component functions in the same way as the first-stage loader and executes the beaconing module to repeat the infection process.

The Loader payload also exhibits some notable features, including performing checks to see if it is running in a sandbox and scanning the Windows registry for keys related to apps like Tencent WeChat and Alibaba DingTalk. This strengthens the hypothesis that the malware is exclusively targeting Chinese systems.

RemoteShellcode, on the other hand, is configured to retrieve the ValleyRAT downloader from the C2 server, which then uses UDP or TCP sockets to connect to the server and receive the final payload.

ValleyRAT, attributed to a threat group called Silver Fox, is a fully-featured backdoor that can remotely control compromised workstations. It can take screenshots, execute files, and load additional plugins on the victim’s system.

“This malware consists of several components that are loaded in different stages and mainly uses shellcode to execute them directly in memory. This significantly reduces the amount of files traced in the system,” the researchers said.

“Once the malware gains a foothold in the system, it supports commands that can monitor the victim’s activities and deliver arbitrary plugins to support the malicious actors’ intentions.”

The development comes amid ongoing spam campaigns attempting to exploit an old vulnerability in Microsoft Office (CVE-2017-0199) to execute malicious code and distribute GuLoader, Remcos RAT, and Sankeloader.

“CVE-2017-0199 continues to focus on remote code execution via an XLS file,” said Symantec, owned by Broadcom. “The campaigns delivered a malicious XLS file with a link that would execute a third-party HTA or RTF file to download the final payload.”