ReliaQuest attributes an ongoing Microsoft Teams SEO-poisoning campaign to the Chinese APT group Silver Fox, which uses a modified ValleyRAT loader (including Cyrillic false flags) to target Chinese-speaking users and Western organizations with operations in China. The campaign leverages typo-squatted domains and Alibaba Cloud hosting to deliver ValleyRAT via a trojanized Teams installer, enabling rundll32-based Binary Proxy Execution, C2 communications, data exfiltration, and financial theft to fund operations. #SilverFox #ValleyRAT
Keypoints
- ReliaQuest assesses with high confidence that the SEO-poisoning campaign impersonating Microsoft Teams is conducted by the Chinese APT group Silver Fox (aka Void Arachne), despite intentional Cyrillic false flags meant to suggest Russian attribution.
- The campaign distributes a modified ValleyRAT loader inside a ZIP named “MSTчamsSetup.zip” hosted on typo-squatted domains (e.g., teamscn[.]com) and Alibaba Cloud storage (oss-cn-hongkong.aliyuncs[.]com) to target Chinese-speaking users.
- The infection chain writes files to AppData and Roaming (Profiler.json, GPUCache.xml, AutoRecoverDat.dll), uses PowerShell to add Defender exclusions, and performs Binary Proxy Execution by loading a malicious DLL into rundll32.exe to retrieve the final payload from a C2 server.
- Evidence linking the campaign to Silver Fox includes overlapping infrastructure with previous fake Telegram campaigns, reuse of CTG Server LTD hosting for C2 servers, and continued evolution of ValleyRAT techniques.
- Targets face risks of data exfiltration, financial theft, and long-term persistence; organizations with international operations—especially offices in China—are advised to ensure adequate logging and endpoint controls.
- Recommended mitigations include enabling Windows command-line and PowerShell logging (Event IDs 4688 and 4104), deploying EDR/visibility solutions, blocking malicious domains/hashes, and using curated app catalogs to reduce SEO-poisoning risk.
MITRE Techniques
- [T1218.011 ] Rundll32 (Binary Proxy Execution) – The campaign uses rundll32.exe to load a malicious DLL into memory and execute it, enabling stealthy payload retrieval and execution (‘the malware disguises itself as a trusted Windows process by loading malicious DLLs into rundll32.exe’).
- [T1059.001 ] PowerShell – Attackers run obfuscated PowerShell commands to modify Defender exclusions and execute payload actions (‘powe””r””s””h””ell.exe -Ex””ec””uti””o””nPol””ic””y By””pa””s -C””om””ma””n””d Ad””d””- M””pPr””ef””ere””nce -Ex””cl””usion”” Path C:, D:,E:,F:’).
- [T1057 ] Process Discovery – The installer enumerates running processes to detect security products (360 Total Security) via tasklist and findstr, informing evasion behavior (‘cmd /c tasklist | findstr /I “360[Tt]ray.exe”‘).
- [T1598.002 ] Search Engine Optimization (SEO) Poisoning – The adversary uses SEO poisoning and typo-squatted domains to surface fake Microsoft Teams downloads to Chinese-speaking users (‘the domain “teamscn[.]com”… typo-squatting attack that specifically targets Chinese-speaking users’).
- [T1071 ] Application Layer Protocol (C2) – The campaign establishes outbound connections to a C2 domain/IP over a nonstandard port to download the final payload and enable remote control (‘the rundll32.exe process then establishes an outbound connection to the domain “Ntpckj[.]com” (IP address 134.122.128[.]131) over port 18852, … downloads the final payload, enabling the attacker to establish command and control (C2)’).
Indicators of Compromise
- [Domain ] Download and lure domains – teamscn[.]com (fake Microsoft Teams), oss-cn-hongkong.aliyuncs[.]com (Alibaba Cloud storage hosting ValleyRAT).
- [C2 Domain/IP ] Command-and-control infrastructure – Ntpckj[.]com, 134.122.128[.]131 (C2 server on port 18852).
- [File Names ] Malicious delivery and loader files – MSTчamsSetup.zip, Setup.exe, AutoRecoverDat.dll (used in the ValleyRAT execution chain).
- [File Hashes ] Associated artifact hashes – f3ef04aaf5056651325789ffd75bbc7db8ae2becbb (MSTчamsSetup.zip), d73593469375120d2bdb403383777f2737bc2018 (Setup.exe), and 6 more hashes.
- [Related Domains ] Additional malicious/typo-squatted domains used in the campaign – teamszv[.]com, binancegames[.]sb, and 20+ related domains used in prior fake Telegram/Teams campaigns.
- [Server IPs ] Hosting and infrastructure IPs observed – 27.124.43[.]7, 134.122.128[.]141, and 20+ related servers (e.g., 143.92.63[.]190, 134.122.207[.]22, 43.226.125[.]112).
Read more: https://reliaquest.com/blog/threat-spotlight-silver-foxs-russian-ruse-fake-microsoft-teams-attack/