Threat Research

Technical Analysis of the Latest Variant of ValleyRAT

ZScaler

ValleyRAT’s latest variant is analyzed in a multi-stage campaign, detailing loader chains, DLL sideloading, process injection, and targeted anti-AV checks, with updates to device fingerprinting and new commands. The analysis highlights an HFS-based downloader, a configurable C2 protocol, and a final ValleyRAT payload delivered through a multi-stage infection chain.
#ValleyRAT #TheGreatThief #SilverFox #QiAnXin

Keypoints

  • Zscaler ThreatLabz identifies a new ValleyRAT campaign attributed to a China-based threat actor.
  • The initial downloader uses an HTTP File Server (HFS) to fetch files required for later stages.
  • The downloader and loader employ anti-virus checks, DLL sideloading, and process injection.
  • C2 communication configuration is marked and parsed to determine the C2 IP, port, and protocol (UDP/TCP).
  • Compared with earlier ValleyRAT versions, the sample shows device fingerprinting, bot ID generation, and expanded command support.
  • The campaign uses a multi-stage chain (downloader → loader → final payload) with DLL sideloading and persistence mechanisms to evade defenses.

MITRE Techniques

  • [T1036] Masquerading – The malware leverages legitimate software behavior to hide its activities, e.g., using WINWORD2013.EXE as a loader for a malicious DLL: ‘The file WINWORD2013.EXE is the legitimate Microsoft Word processor. However, the malware utilizes it to sideload a malicious DLL called wwlib.dll.’
  • [T1574.002] Hijack Execution Flow – DLL Side-Loading – ‘the malware utilizes it to sideload a malicious DLL called wwlib.dll.’
  • [T1055] Process Injection – The decrypted xig.ppt DLL injects shellcode into svchost.exe: ‘continues the execution process as a mechanism to decrypt and inject shellcode into svchost.exe.’
  • [T1140] Deobfuscate/Decode Files or Information – NTUSER.DXM is decrypted with XOR and RC4: ‘NTUSER.DXM is then decrypted using a combination of XOR decryption and RC4 decryption.’
  • [T1010] Application Window Discovery – Device fingerprinting includes Foreground window name: ‘Foreground window name’.
  • [T1057] Process Discovery – The malware ‘retrieves a list of all processes running on the system.’
  • [T1082] System Information Discovery – System IP address is collected during fingerprinting: ‘System IP address.’
  • [T1083] File and Directory Discovery – Device fingerprinting includes System directory and related discovery: ‘System directory.’
  • [T1120] Peripheral Device Discovery – Information like HDD & storage device info is gathered: ‘HDD & storage device info.’
  • [T1518.001] Security Software Discovery – The malware checks for security software processes (Qihoo-related) and terminates them: ‘Security Software Discovery.’
  • [T1071] Application Layer Protocol – C2 communication uses TCP (and UDP) protocols: ‘The sample analyzed utilizes TCP for communication with the C2 server.’
  • [T1659] Content Injection – Shellcode and configuration are injected/updated to influence runtime behavior: ‘Content Injection.’
  • [T1113] Screen Capture – New commands include capturing screenshots: ‘Capture a screenshot of the desktop window and retrieve the name of the foreground window and last input time.’
  • [T1529] System Shutdown/Reboot – Commands enable forced reboot/shutdown: ‘Forced reboot’ and ‘Forced shutdown.’

Indicators of Compromise

  • [MD5] First stage – 984878f582231a15cc907aa92903b7ab, 56384012e4e46f16b883efe4dd53fcb0 (First stage downloader)
  • [MD5] Second stage – 9aec2351a3966a9f854513a7b7aa5a13 (Second stage loader DLL)
  • [MD5] Third stage – 0a55af506297efa468f49938a66d8af9 (Third stage shellcode)
  • [MD5] Final payload – C563f62191ea363259939a6b3ce7f192 (ValleyRAT)
  • [URL] C2 URL – hotshang[.]com/, 101.33.117.200/, and 7 more URLs (Parent URL for downloader)
  • [Domain] Domains – wenjian2024[.]com, oss-cn-hongkong[.]aliyuncs[.]com, and other domains (C2/download infrastructure)
  • [IP] IP – 101.33.117.200 (C2 IP), and 101.33.117.200 (data points in config)
  • [File Name] Files – NTUSER.DXM, second_stage_sample.bin (stages/files used)
  • [Process Name] Processes – svchost.exe, WinRAR (used in various checks and injection workflow)

Read more: https://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint