Threat Research

ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading

TrendMicro
ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading

A ValleyRAT campaign targeted job seekers with email lures that delivered weaponized Foxit PDF Reader executables inside archive files, using DLL side-loading of a malicious msimg32.dll to achieve execution. The attackers deployed a bundled Python environment and a base64-encoded shellcode loader downloaded from 196[.]251[.]86[.]145, created an autorun registry entry for persistence, and exfiltrated data from web browsers. #ValleyRAT #FoxitPDFReader

Keypoints

  • Attackers used email-based job lures with recruitment-themed archive filenames (e.g., Overview_of_Work_Expectations.zip) to trick job seekers into opening malicious attachments.
  • Archives contained a renamed FoxitPDFReader.exe (example: Compensation_Benefits_Commission.exe) and a hidden malicious msimg32.dll to facilitate DLL side-loading.
  • A bundled Python environment was hidden inside a document.pdf and extracted via a disguised 7zip executable and document.bat to run a Python shellcode loader even on systems without Python installed.
  • The shellcode loader fetched base64-encoded payloads from 196[.]251[.]86[.]145/huna and executed them via a renamed python.exe (zvchost.exe), establishing C2 communications over TLS with a self-signed certificate.
  • Persistence was implemented by creating an autorun registry entry, and the malware stole data from multiple internet browsers for exfiltration.
  • Trend Vision One detects and blocks the campaign indicators and provides hunting queries and intelligence to help customers proactively defend against these tactics.

MITRE Techniques

  • [T1566.001 ] Spearphishing Attachment – Email-based job lures sent archive attachments to entice victims (’email-based job lures’).
  • [T1574.002 ] DLL Side-Loading – The campaign abused a renamed Foxit executable to load a malicious library (msimg32.dll) via DLL side-loading (‘loading a malicious msimg32.dll’).
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – The attackers used a batch file to extract and run payload components (‘document.bat uses the document.docx file to extract the contents of the document.pdf file.’).
  • [T1059.006 ] Command and Scripting Interpreter: Python – A bundled Python environment and Python script were used to run a shellcode loader (‘the Python script can be executed on the target system even if Python is not pre-installed’).
  • [T1105 ] Ingress Tool Transfer – The shellcode loader and payload components were downloaded from external hosts such as 196[.]251[.]86[.]145 (‘downloaded from 196[.]251[.]86[.]145’).
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys/Start Folder – Persistence was achieved by creating an autorun registry entry (‘creates an autorun registry entry to make it persistent in the system.’).
  • [T1555.003 ] Credentials from Web Browsers – The malware collected user data from installed web browsers (‘The attack steals data from the user’s internet browsers’).
  • [T1620 ] Reflective Code Loading – Components were loaded using .NET reflection as part of the execution chain (‘stitched together by DLL side-loading, script executions, and .NET reflection loading’).

Indicators of Compromise

  • [IP address ] C2 and download hosts – 196[.]251[.]86[.]145 (downloaded base64 shellcode), 51[.]79[.]214[.]125 (related download), and 154[.]90[.]58[.]164:56001 (related C2).
  • [URL ] Download endpoints/paths used by payload – 196[.]251[.]86[.]145/huna, 51[.]79[.]214[.]125/huna.
  • [File name ] Malicious executables and libraries – Compensation_Benefits_Commission.exe (renamed FoxitPDFReader.exe bait), msimg32.dll (malicious DLL), and document.bat (extraction/launcher).
  • [Archive names ] Social-engineering lures – Overview_of_Work_Expectations.zip, Candidate_Skills_Assessment_Test.rar (recruitment-themed archives used to deliver payloads).
  • [File hashes ] Notable samples – SHA1 ebcfc4f6c6e63b75dc407f5e76c9d96c69c3c1b6 / SHA256 a32fa6ba08db96ebd611f6ee06da44b419d569a6bac43ed00c68d6ca674004c3 (ValleyRAT .NET exe in memory), SHA1 65fec70eaca638cbd10a6774e4e67f2d55f63959 (document.bat) and many more hashes listed in the report.
  • [Certificate fingerprint / JA3 ] C2 TLS artifacts – certificate fingerprint 7e:3f:5a:c9:0b:81:54:af:50:70:f0:1c:05:b6:a4:ce:63:3c:58:ee and JA3 fc54e0d16d9764783542f0146a98b300 (self-signed C2 certificate characteristics).

Read more: https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint