A new sophisticated ValleyRAT campaign has been targeting Chinese systems. Uncovered by FortiGuard Labs, the campaign affects Windows users, allowing the threat actors to control compromised machines.
ValleyRAT Malware and Its Targets
ValleyRAT has mainly targeted e-commerce, finance, sales and management enterprises. The malware uses multiple stages and techniques to monitor and control its victims, employing arbitrary and specific plugins to cause additional damage.
The campaign observed by FortiGuard uses heavy shellcode to execute its components directly in memory, significantly reducing its footprint on the victim’s system.
ValleyRAT employs tactics like using icons of legitimate applications, including Microsoft Office, to make malicious files appear harmless. The filenames are also created to look like financial documents.
Once executed, ValleyRAT creates a mutex named TEST to ensure a single instance runs. It then alters specific registry entries to store the IP and port of its command-and-control (C2) server, allowing it to communicate with the attacker’s servers.
The malware further attempts to evade detection by determining whether it is operating within a virtual machine (VM), and if so, it terminates its processes.
Advanced Techniques for Evasion and Execution
ValleyRAT employs sleep obfuscation techniques, which involve modifying the permissions of allocated memory where malicious code lives to avoid detection by memory scanners. It also uses an XOR operation to encode the shellcode, adding one more layer of complexity that further challenges pattern-based security signatures.
Additionally, the malware relies on reflective DLL loading to run its components directly from memory. After initialization, the malware decrypts shellcode using the AES-256 algorithm and then executes this code through a sleep obfuscation routine. ValleyRAT also utilizes API hashing to obfuscate the API names it employs, complicating the detection process.
Potential Connection to Silver Fox
ValleyRAT’s advanced evasion techniques and targeted attacks on Chinese systems indicate a strategic approach by threat actors, potentially linked to advanced persistent threat (APT) groups like “Silver Fox.”
The malware’s capabilities to monitor user activities and deliver additional malicious plugins underscore its significant threat to enterprise security.
"This malware involves several components loaded in different stages and mainly uses shellcode to execute them directly in memory, significantly reducing its file trace in the system," FortiGuard said.
"Once the malware gains a foothold in the system, it supports commands capable of monitoring the victim's activities and delivering arbitrary plugins to further the threat actors’ intentions"
To tackle threats like this, organizations should keep antivirus and intrusion prevention system (IPS) signatures up to date and ensure their employees undergo security awareness training.