A dangerous shadow looms over China.
Recently, FortiGuard Labs discovered a new ValleyRAT malware campaign targeting Chinese-speaking users. Historically, this software attacks businesses in the areas of e-commerce, finance, sales, and management.
ValleyRAT is a multi-stage malware that uses various methods to monitor and control its victims, as well as to deploy additional plugins in order to cause more damage. One of the key features of this software is the active use of shellcode for executing components directly in memory, which significantly reduces traces of its presence in the system.
To disguise itself, ValleyRAT uses icons of legitimate applications, such as Microsoft Office, and file names associated with financial documents. This makes it more plausible for users. At startup, the program creates an empty file and opens it in the Microsoft Office document management application to create the appearance of legitimacy.
After installation, ValleyRAT checks whether it is running in the VM, and if it detects signs of virtualization, it stops executing. Further, the malware uses the "sleep mode" technique to bypass detection systems, which makes it difficult for antivirus programs to identify it.
During the initialization phase, ValleyRAT adds a task to the Windows Scheduler to ensure that it is automatically executed every time the user logs in. It also uses known vulnerabilities of legitimate applications to gain administrator privileges without notifying the user.
ValleyRAT effectively bypasses anti-virus systems, in particular Chinese ones, which once again confirms its target focus on Chinese users. Malware kills the processes of antivirus programs, changes their settings in the registry, and takes additional measures to ensure its invisibility.
In addition, ValleyRAT has the functionality to remotely execute commands and download additional components from the command server, which allows attackers to gain full control over the infected system.
This malware is capable of executing various commands, such as monitoring user activity and installing additional malicious modules, which makes it particularly dangerous for victims.
Fortinet continues to monitor ValleyRAT activity and provides updates to protect its customers from this threat. Fortinet's antivirus solutions, such as FortiGate and FortiMail, already include signatures to detect and block ValleyRAT.
To protect against such threats, we recommend that you regularly update your antivirus software and raise user awareness of possible cyber threats.
Source
Recently, FortiGuard Labs discovered a new ValleyRAT malware campaign targeting Chinese-speaking users. Historically, this software attacks businesses in the areas of e-commerce, finance, sales, and management.
ValleyRAT is a multi-stage malware that uses various methods to monitor and control its victims, as well as to deploy additional plugins in order to cause more damage. One of the key features of this software is the active use of shellcode for executing components directly in memory, which significantly reduces traces of its presence in the system.
To disguise itself, ValleyRAT uses icons of legitimate applications, such as Microsoft Office, and file names associated with financial documents. This makes it more plausible for users. At startup, the program creates an empty file and opens it in the Microsoft Office document management application to create the appearance of legitimacy.
After installation, ValleyRAT checks whether it is running in the VM, and if it detects signs of virtualization, it stops executing. Further, the malware uses the "sleep mode" technique to bypass detection systems, which makes it difficult for antivirus programs to identify it.
During the initialization phase, ValleyRAT adds a task to the Windows Scheduler to ensure that it is automatically executed every time the user logs in. It also uses known vulnerabilities of legitimate applications to gain administrator privileges without notifying the user.
ValleyRAT effectively bypasses anti-virus systems, in particular Chinese ones, which once again confirms its target focus on Chinese users. Malware kills the processes of antivirus programs, changes their settings in the registry, and takes additional measures to ensure its invisibility.
In addition, ValleyRAT has the functionality to remotely execute commands and download additional components from the command server, which allows attackers to gain full control over the infected system.
This malware is capable of executing various commands, such as monitoring user activity and installing additional malicious modules, which makes it particularly dangerous for victims.
Fortinet continues to monitor ValleyRAT activity and provides updates to protect its customers from this threat. Fortinet's antivirus solutions, such as FortiGate and FortiMail, already include signatures to detect and block ValleyRAT.
To protect against such threats, we recommend that you regularly update your antivirus software and raise user awareness of possible cyber threats.
Source
