ValleyRAT Malware Campaign Targets Chinese-Speaking Regions
A Sophisticated Phishing Campaign
By Ravie Lakshmanan, January 21, 2025
A series of cyber attacks have targeted Chinese-speaking regions, including Hong Kong, Taiwan, and Mainland China, using a known malware called ValleyRAT. The attacks leverage a multi-stage loader dubbed PNGPlug to deliver the ValleyRAT payload.
The Infection Chain
The infection chain commences with a phishing page designed to encourage victims to download a malicious Microsoft Installer (MSI) package disguised as legitimate software.
The Phishing Page
The phishing page is designed to lure victims into downloading the malicious MSI package. Once executed, the installer deploys a benign application to avoid arousing suspicion, while also stealthily extracting an encrypted archive containing the malware payload.
The MSI Package
The MSI package uses the Windows Installer’s CustomAction feature to execute malicious code, including running an embedded malicious DLL that decrypts the archive (all.zip) using a hardcoded password ‘hello202411’ to extract the core malware components.
The Malware Payload
The malware payload includes a rogue DLL ("libcef.dll"), a legitimate application ("down.exe") that’s used as a cover to conceal the malicious activities, and two payload files masquerading as PNG images ("aut.png" and "view.png").
The PNGPlug Loader
The main objective of the PNGPlug loader is to prepare the environment for executing the main malware by injecting "aut.png" and "view.png" into memory in order to set up persistence by making Windows Registry changes and executing ValleyRAT, respectively.
ValleyRAT: A Remote Access Trojan
ValleyRAT is a remote access trojan (RAT) that’s capable of providing attackers with unauthorized access and control over infected machines. Recent versions of the malware have incorporated features to capture screenshots and clear Windows event logs.
The Threat Group Behind the Attack
It’s assessed to be linked to a threat group called Silver Fox, which also shares tactical overlaps with another activity cluster named Void Arachne owing to the use of a command-and-control (C&C) framework called Winos 4.0.
Conclusion
The campaign is unique for its focus on the Chinese-speaking demographic and the use of software-related lures to activate the attack chain. The attackers’ sophisticated use of legitimate software as a delivery mechanism for malware, seamlessly blending malicious activities with seemingly benign applications, further elevates the threat.
Stay Informed
Follow us on Twitter and LinkedIn to read more exclusive content we post.
