A multi-stage attack process helps to bypass the protection of antivirus and EDR systems.
Cybersecurity researchers have discovered an updated version of the ValleyRAT malware distributed as part of a new malware campaign.
"The latest version of ValleyRAT introduces new commands such as screenshot capture, process filtering, force shutdown, and clearing Windows event logs," the researchers told Zscaler.
ValleyRAT was previously documented by QiAnXin and Proofpoint in 2023 in connection with a phishing campaign targeting Chinese-speaking users and Japanese organizations. The campaign distributed various malware families, such as Purple Fox and a variant of the Gh0st RAT Trojan known as Sainbox RAT (aka FatalRAT).
The malware is believed to have been developed by a group based in China and has the ability to collect sensitive information and embed additional payloads on compromised devices.
The initial attack point is the loader, which uses the HTTP File Server (HFS) to load the file "NTUSER. DXM", which is then decoded to extract the DLL responsible for loading "client.exe" from the same server.
The decrypted DLL is also designed to detect and terminate antivirus solutions in order to avoid analysis. The loader then uploads three more files — "WINWORD2013.EXE", "wwlib.dll" and "xig.ppt" - from the HFS server.
Next, the malware runs "WINWORD2013.EXE", a legitimate executable file associated with Microsoft Word, and uses it to execute the library's DLL Sideloading "wwlib.dll", which, in turn, sets up persistence in the system and loads "xig.ppt" in memory.
"From here decrypted "xig.ppt" continues the execution process as a mechanism for decrypting and embedding shellcode in "svchost.exe" "- the researchers noted. "Malware creates "svchost.exe" as a suspended process, allocates memory in this process and writes shellcode there."
The shellcode, in turn, contains the necessary configuration to connect to the C2 server and load the ValleyRAT payload as a DLL file.
"ValleyRAT uses a complex multi-step process to infect the system with the final payload that performs most malicious operations," the researchers said. "This multi-step approach, combined with the use of Sideloading DLLs, is probably designed to better bypass security solutions such as EDR and antivirus applications."
Cybersecurity researchers have discovered an updated version of the ValleyRAT malware distributed as part of a new malware campaign.
"The latest version of ValleyRAT introduces new commands such as screenshot capture, process filtering, force shutdown, and clearing Windows event logs," the researchers told Zscaler.
ValleyRAT was previously documented by QiAnXin and Proofpoint in 2023 in connection with a phishing campaign targeting Chinese-speaking users and Japanese organizations. The campaign distributed various malware families, such as Purple Fox and a variant of the Gh0st RAT Trojan known as Sainbox RAT (aka FatalRAT).
The malware is believed to have been developed by a group based in China and has the ability to collect sensitive information and embed additional payloads on compromised devices.
The initial attack point is the loader, which uses the HTTP File Server (HFS) to load the file "NTUSER. DXM", which is then decoded to extract the DLL responsible for loading "client.exe" from the same server.
The decrypted DLL is also designed to detect and terminate antivirus solutions in order to avoid analysis. The loader then uploads three more files — "WINWORD2013.EXE", "wwlib.dll" and "xig.ppt" - from the HFS server.
Next, the malware runs "WINWORD2013.EXE", a legitimate executable file associated with Microsoft Word, and uses it to execute the library's DLL Sideloading "wwlib.dll", which, in turn, sets up persistence in the system and loads "xig.ppt" in memory.
"From here decrypted "xig.ppt" continues the execution process as a mechanism for decrypting and embedding shellcode in "svchost.exe" "- the researchers noted. "Malware creates "svchost.exe" as a suspended process, allocates memory in this process and writes shellcode there."
The shellcode, in turn, contains the necessary configuration to connect to the C2 server and load the ValleyRAT payload as a DLL file.
"ValleyRAT uses a complex multi-step process to infect the system with the final payload that performs most malicious operations," the researchers said. "This multi-step approach, combined with the use of Sideloading DLLs, is probably designed to better bypass security solutions such as EDR and antivirus applications."
