Fake Microsoft Teams Campaign Delivers ValleyRAT via NSIS Installer and DLL Sideloading

MITRE Techniques

• [T1189 ] Drive-by Compromise – Users were directed to malicious Teams-lookalike sites that prompted a harmful download (‘users are prompted to download a compressed archive’).
• [T1566.002 ] Phishing: Spearphishing Link – The campaign used convincing fake Microsoft Teams themed websites to lure victims into clicking and downloading (‘closely mimic the official Microsoft Teams download page’).
• [T1036 ] Masquerading – The sites and downloaded files were designed to appear legitimate, including a fake Teams installer and shortcut (‘helping avoid suspicion by presenting an expected behavior’).
• [T1105 ] Ingress Tool Transfer – The malicious archive and staged payloads were downloaded from attacker-controlled infrastructure (‘prompted to download a compressed archive’).
• [T1218 ] System Binary Proxy Execution – A legitimate Tencent executable GameBox.exe was abused to execute malicious code via sideloading (‘legitimate executable (GameBox.exe) being abused’).
• [T1574.002 ] Hijack Execution Flow: DLL Side-Loading – The attack loaded utility.dll through a legitimate executable to execute the payload (‘side-load a malicious dll named utility.dll’).
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – Windows Defender was weakened using PowerShell exclusions (‘Add-MpPreference -ExclusionPath’ and ‘Add-MpPreference -ExclusionProcess’).
• [T1036.002 ] Masquerading: Prepend/Append Legitimate Name or Location – Malware was copied into ProgramData and hidden to blend in (‘copied to the ProgramData folder’).
• [T1112 ] Modify Registry – The malware used registry keys for configuration and persistence-related data (‘configuration data… were likely written to HKCUSOFTWAREIpDates_info’).
• [T1543.003 ] Create or Modify System Process: Windows Service – Persistence was established by creating an auto-start service named _CCGDAT (‘creating a service named _CCGDAT’).
• [T1027 ] Obfuscated Files or Information – Payloads were stored encrypted and later decrypted in memory using AES and XOR (‘stored in an encrypted format in memory’).
• [T1055 ] Process Injection – Shellcode was allocated in memory and executed in the current process (‘allocates memory within the current process and writes the decrypted shellcode into it’).
• [T1106 ] Native API – The malware used Windows APIs such as CreateThread, GetClipboardData, SetFileAttributes, and BcryptDecrypt to perform actions (‘Execution is then transferred using CreateThread’).
• [T1027.007 ] Obfuscated Files or Information: Dynamic API Resolution – API hashing was used to resolve Windows APIs at runtime (‘computes hashes and dynamically matches them’).
• [T1620 ] Reflective Code Loading – The final payload used reflective loading to map the PE into memory (‘uses Reflective Loading techniques to map the PE into memory’).
• [T1056.001 ] Input Capture: Keylogging – Local logs stored captured keystrokes, indicating keylogging activity (‘stores operational data such as captured keystrokes’).
• [T1115 ] Clipboard Data – The malware accessed clipboard contents to steal sensitive information (‘accessing clipboard contents through the GetClipboardData API’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – The malware communicated with a remote C2 server and exchanged data (‘maintaining communication with the remote server’).
• [T1041 ] Exfiltration Over C2 Channel – Collected logs and data were sent back to the command-and-control server (‘sends collected data back to the server’).