Fortinet FortiGuard Labs details an ongoing ValleyRAT campaign targeting Chinese-speaking Windows users, featuring multi-stage malware that executes in memory with shellcode and employs sandbox evasion to stay hidden. The campaign includes loader components, C2 communications, and plugin delivery to extend control over infected systems. #ValleyRAT #SilverFox
Keypoints
- Affected Platforms: Microsoft Windows
- Target Audience: Chinese-speaking Windows users
- Malware Characteristics: Multi-stage, shellcode-driven in-memory execution with a low file footprint
- Initial Loader: Masquerades as legitimate applications with deceptive filenames
- Persistence: Adds scheduled tasks and abuses auto-elevate mechanisms to persist and gain privileges
- AV Evasion: Modifies AV settings and terminates AV-related processes
- Command and Control: Plaintext C2 requests with XOR-encoded responses to fetch additional payloads
MITRE Techniques
- [T1203] Execution – “Exploits vulnerabilities in software to execute malicious code.” – Exploits vulnerabilities in software to execute malicious code.
- [T1053] Persistence – “Adds scheduled tasks to ensure malware runs at startup.” – Adds scheduled tasks to ensure malware runs at startup.
- [T1068] Privilege Escalation – “Abuses legitimate applications to gain elevated privileges.” – Abuses legitimate applications to gain elevated privileges.
- [T1562] Defense Evasion – “Modifies antivirus settings and kills AV processes to evade detection.” – Modifies antivirus settings and kills AV processes to evade detection.
- [T1071] Command and Control – “Communicates with C2 servers to request additional payloads.” – Communicates with C2 servers to request additional payloads.
Indicators of Compromise
- [C2] C2 servers – 154.82.85.12, 154.92.19.81
- [Files] sample hashes – 1ded5a6c54a7b10365c41bc850ce41f18d86435fbe9315c37bd767ecdf255135, 7b98622db7a62ace626dcc8af5bb7ac3726a968241c94612c5b9cb906175f5f3, fb73e089d0a276617b9a213080f84d0e411592c7db5548790e3fe1c53295f5a3