Proofpoint notes a rise in Chinese-themed malware campaigns targeting Chinese-language speakers, including Sainbox (Gh0stRAT variant) and the newly identified ValleyRAT, alongside legacy Purple Fox. The campaigns use Chinese-language lures and diverse delivery methods across multiple clusters, indicating a broader expansion of the Chinese malware ecosystem rather than a single actor. #ValleyRAT #Sainbox #Gh0stRAT #PurpleFox #Proofpoint #ChineseThemedCampaigns
Keypoints
- Proofpoint observed increased activity from malware families targeting Chinese-language speakers.
- Campaigns use Chinese-language lures and are associated with Chinese cybercrime activity (Sainbox, Gh0stRAT, ValleyRAT, Purple Fox).
- ValleyRAT is a newly observed malware; Sainbox RAT and Purple Fox remain active; multiple clusters suggest distinct activity sets.
- Delivery methods include URLs to zipped executables and attachments (Excel/PDF) containing URLs.
- ValleyRAT features virtualization/sandbox checks and a defined command set with a custom C2 protocol; system beaconing and MD5-based SystemID are used.
- The Chinese-themed malware landscape shows expansion with at least 30 campaigns in 2023 and potential cross-language adoption.
MITRE Techniques
- [T1566.001] Phishing – Spearphishing Link – The campaigns deliver via email with URLs to payloads. “The emails contain URLs linking to compressed executables that are responsible for installing the malware.”
- [T1566.002] Phishing – Spearphishing Attachment – Excel attachments containing URLs linking to compressed executables. “Excel attachments containing URLs linking to compressed executables.”
- [T1497] Virtualization/Sandbox Evasion – ValleyRAT checks for VMware Tools to detect virtual environments. “The ValleyRAT initially begins by searching for the existence of the directory ‘C:Program FilesVMwareVMware Tools’ on the victim machine…”
- [T1082] System Information Discovery – Beaconing to C2 via initial system information beacons to identify a newly infected victim. “initial system information beacon that it sends to the C2 to identify a newly infected victim.”
- [T1095] Non-Application Layer Protocol – C2 communication uses raw sockets with a custom protocol. “The malware uses raw sockets with a custom protocol to communicate with the C2.”
- [T1105] Ingress Tool Transfer – Payloads downloaded and executed from URLs (downloads and executes an executable file). “Downloads and executes an executable file.”
- [T1547.001] Boot or Logon Autostart Execution – Start the client at system startup. “Sets the Client to start at system startup.”
Indicators of Compromise
- [URL] Sainbox payload URL – hxxp://rus3rcqtp[.]hn-bkt[.]clouddn[.]com/26866498[.]zip, and hxxps://drfs[.]ctcontents[.]com/file/40788929/860577489/0823d7/%E4%B8%AA%E4%BA%BA%E7%AE%80%E5%8E%862023[.]rar
- [SHA256] Sainbox Executable – 0d133dde99d883274bf5644bd9e59af3c54c2b3c65f3d1bc762f2d3725f80582, 7f32ca98ce66a057ae226ec78638db95feebc59295d3afffdbf407df12b5bc79
- [Domain] Sainbox C2 – fakaka16[.]top:3366, kakafa[.]top:3367
- [Email Address] Sainbox Sender Email – lwplbh@cluedk[.]com, q1045582630@qq[.]com
- [SHA256] ValleyRAT Executable – a48abe2847e891cfd6c18c7cdaaa8e983051bc2f7a0bd9ef5c515a72954e1715
- [File Path] ValleyRAT PDB File Path – C:Users77sourcereposProject8DebugProject8.pdb
- [URL] ValleyRAT Payload URL – hxxps://drfs[.]ctcontents[.]com/file/40788929/860577489/0823d7/%E4%B8%AA%E4%BA%BA%E7%AE%80%E5%8E%862023[.]rar
- [Email Address] ValleyRAT Sender Email – cjkmj@51fapiao[.]com
- [URL] ValleyRAT Payload URL – hxxp://ckj2[.]cn/R8F
- [URL] ValleyRAT Payload URL – hxxps://zc1800[.]oss-cn-shenzhen[.]aliyuncs[.]com/piao
- [Email Address] ValleyRAT Sender Email – vip66@xqxayjrk101[.]wecom[.]work
- [URL] ValleyRAT Payload URL – hxxps://fhyhdf[.]oss-cn-hangzhou[.]aliyuncs[.]com/%E7%99%BC%E7%A5%A8[.]zip
- [Email Address] ValleyRAT Sender Email – qdjvqvumsdw@hotmail[.]com