Operation Silk Lure: Scheduled Tasks Weaponized for DLL Side-Loading (drops ValleyRAT)

MITRE Techniques

• [T1566.001 ] Spearphishing Attachment – Malicious résumé .LNK files used as attachments to deliver droppers (“spear-phishing… craft highly targeted emails… contain malicious .LNK (Windows shortcut) files embedded within seemingly legitimate résumés”).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – LNK droppers executed long PowerShell command-lines to download and execute stages (“more than 260-character sequences consistent with a PowerShell command-line payload… LNK acts as a dropper/execution vector for a subsequent PowerShell-based stage”).
• [T1059.005 ] Command and Scripting Interpreter: Visual Basic – VBScript CreateHiddenTask.vbs created a scheduled task for persistence (“CreateHiddenTask.vbs… programmatically creates a daily scheduled task named “Security” … executes %APPDATA%Securitykeytool.exe”).
• [T1053.005 ] Scheduled Task/Job: Scheduled Task – Persistence via a scheduled task named “Security” that runs keytool.exe daily (“registers a daily Task Scheduler job named Security”).
• [T1204.002 ] User Execution: Malicious File – Victim user interaction with a believable Chinese résumé leads to execution (“Chinese-language résumé… increases the chance a user will open it (social engineering)”).
• [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Loader and persistence behaviors include autostart techniques (noted in persistence section and feature flags indicating autostart services like 360Hvm present).
• [T1055.001 ] Process Injection: Dynamic-link Library Injection – keytool.exe/jli.dll loader extracts and executes an in-memory payload, implying injection/reflective execution (“jli.dll… copies into a buffer and treated as an encrypted payload… decrypts… then prepares and launch the payload”).
• [T1055.002 ] Process Injection: Portable Executable Injection – Loader behavior involves reading its own PE and extracting an embedded payload for runtime execution (“opens its own executable (keytool.exe)… scans that region for a distinct 8-byte marker… everything after it is copied… decrypted payload”).
• [T1140 ] Deobfuscate/Decode Files or Information – RC4 decryption of embedded payload using key “123cba” to decode the runtime payload (“runs the standard RC4 routine… XORs the keystream with the copied bytes to produce the decrypted payload”).
• [T1574.001 ] Hijack Execution Flow: DLL Search Order Hijacking – DLL side-loading observed where keytool.exe calls exports from jli.dll to execute the payload (“keytool.exe… calling different export function of Jli.dll … side-loads a malicious DLL”).
• [T1070.004 ] Indicator Removal: File Deletion – The VBScript deletes itself after registering the task to reduce forensic traces (“after registering the task in the root folder, deletes the VBScript file itself”).
• [T1070.009 ] Indicator Removal: Clear Persistence – Malware includes routines for cleanup/uninstall and self-uninstall commands (“0xA2 Self-uninstall” and file-deletion behaviors noted).
• [T1036.008 ] Masquerading: Masquerade File Type – Malicious files impersonate legitimate artifacts (résumé, keytool.exe with Author = “Microsoft Corporation” metadata spoofing) to appear benign (“sets the task registration metadata to Author = “Microsoft Corporation” (likely spoofing a benign author)”).
• [T1112 ] Modify Registry – Malware reads and writes various registry keys for fingerprinting and persistence checks (numerous registry reads like HKLM…Tdstcp and HKLMSYSTEMControlSet001Services entries cited in fingerprinting).
• [T1027.009 ] Obfuscated Files or Information: Embedded Payloads – Encrypted/embedded payload within keytool.exe (marker-based encrypted shellcode) to evade static detection (“encrypted shellcode payload… embedded payload… marker-based extraction + RC4 decryption”).
• [T1027.010 ] Obfuscated Files or Information: Command Obfuscation – Long PowerShell commandlines and obfuscated command usage to evade detection (“more than 260-character sequences consistent with a PowerShell command-line payload” and use of -NoP -ep Bypass).
• [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File – Use of RC4 encryption with fixed key to protect payload until runtime (“RC4 routine… seeded with the ASCII key ‘123cba’”).
• [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – Malware checks for VirtualBox/VMware processes and registry keys to evade analysis (“checks for virtualization by looking for VirtualBox/VMware processes or the VMware registry key”).
• [T1497.002 ] Virtualization/Sandbox Evasion: User Activity Based Checks – Uses user/activity based checks (UI language, Caps Lock, single-instance mutex) to avoid sandbox environments (“Maps GetSystemDefaultUILanguage()… records the Caps Lock state… CreateMutexW… checks GetLastError()==ERROR_ALREADY_EXISTS”).
• [T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers – ValleyRAT includes functionality to harvest credentials from local stores including browser-stored credentials (credential access capabilities described in Capability list and feature flags).
• [T1056.001 ] Input Capture: Keylogging – Keylogger implementation capturing keystrokes, managing log files, and storing logs in ProgramData (“initializing a DirectInput keyboard device to capture keystrokes… Regedit.log under ProgramData”).
• [T1056.002 ] Input Capture: GUI Input Capture – Screenshot and recording capabilities to capture GUI and user activity (“capture visual user activity (screenshots/recording) … screenshot config … recording / cleanup”).
• [T1556.004 ] Modify Authentication Process: Network Device Authentication – Malware enumerates/network-related authentication artifacts and network device settings as part of fingerprinting and potential credential manipulation (“reads PortNumber DWORD … enumerates NIC details, MAC”).
• [T1083 ] File and Directory Discovery – Malware enumerates directories and registry paths to discover user and application artifacts (“scans user folder for numeric directory names; enumerates subkeys…”).
• [T1115 ] Clipboard Data – Malware captures clipboard contents for exfiltration (“harvesting clipboard contents”).
• [T1005 ] Data from Local System – Collects files and system metadata for exfiltration (“exfiltrating critical system metadata… collects CPU info, username, screen resolution, … MAC, locale, VM check”).
• [T1039 ] Data from Network Shared Drive – Capabilities include enumeration of network shared resources (“Data from Network Shared Drive listed under Data Collection”).
• [T1113 ] Screen Capture – Malware supports screenshot and recording capture (“capture visual user activity (screenshots/recording)”).
• [T1071.001 ] Application Layer Protocol: Web Protocols – C2 communications and downloads use web protocols (downloads from pan.tenire.com and C2 communication to 206.119.175.16/other IPs).
• [T1041 ] Exfiltration Over C2 Channel – Collected data and artifacts exfiltrated over the C2 channel to attacker-controlled servers (“collected data is covertly transmitted to a remote Command and Control (C2) server”).