ValleyRAT Analysis: Strategies, Techniques, and Detection Approaches | Splunk

MITRE Techniques

• [T1547.001] Startup Folder – The ValleyRAT loader creates a copy in the startup folder for persistence. “creates a copy of itself in the startup folder as “appcustom.exe” to maintain persistence.”
• [T1055] Process Injection – The decrypted ValleyRAT payload is injected into MSBUILD.exe to evade detection. “injected into a newly created MSBUILD.exe process, … to evade detection.”
• [T1012] Query Registry – Checks registry entries related to WeChat and DingTalk as a kill switch. “Checks registry entries related to WeChat and DingTalk as a kill switch.”
• [T1071] Application Layer Protocol – Initializes C2 IP addresses and ports, modifying registry entries for persistence. “Initializes the C2 IP addresses and port within its code.”
• [T1548.002] Bypass User Account Control – Attempts to launch with elevated privileges using various methods. “Attempts to launch with elevated privileges using various methods.”
• [T1562.001] Impair Defenses: Disable or Modify Tools – Terminates security products to avoid detection. “Terminates security products to avoid detection.”
• [T1497] Virtualization/Sandbox Evasion – Checks for virtualized environments to evade analysis. “Checks for virtualized environments to evade analysis.”
• [T1053] Scheduled Task/Job – Creates scheduled tasks for automatic execution of malicious payloads. “Creates scheduled tasks for automatic execution of malicious payloads.”
• [T1547.001] Registry Run Keys – Uses registry run keys for persistence on boot. “Uses registry run keys for persistence on boot.”
• [T1016.001] Internet Connection Discovery – Checks for internet connectivity before C2 communication. “Checks for internet connectivity before C2 communication.”