ValleyRAT Malware Targets Windows Users in China, Stepping Up Attacks
In the ever-evolving landscape of cyber threats, a new player has emerged, known as ValleyRAT. This malicious software, primarily targeting e-commerce, finance, sales, and management enterprises, has been attributed to the China-based Advanced Persistent Threat (APT) group known as Silver Fox (Silverfuchs).
Upon execution, ValleyRAT creates a mutex named TEST to ensure only one instance runs, and it employs API hashing to obfuscate the API names it uses. To add an additional layer of complexity, the shellcode it uses is XOR-encoded, challenging pattern-based security signatures.
One of ValleyRAT's advanced evasion techniques is determining whether it is operating within a virtual machine (VM) and terminating its processes if it is. To further evade detection, it disguises malicious files by using icons of legitimate applications, such as Microsoft Office, and filenames that resemble financial documents.
ValleyRAT uses reflective DLL loading to run its components directly from memory and alters specific registry entries to store the IP and port of its command-and-control (C2) server. The malware primarily uses shellcode to execute its components directly in memory, significantly reducing its file trace in the system.
Once it gains a foothold in the system, ValleyRAT supports commands capable of monitoring the victim's activities and delivering arbitrary plugins. It employs sleep obfuscation techniques to modify the permissions of allocated memory where malicious code lives to avoid detection by memory scanners.
To tackle threats like ValleyRAT, organisations should keep antivirus and intrusion prevention system (IPS) signatures up to date and ensure their employees undergo security awareness training. Staying vigilant and informed is key in the ongoing battle against cyber threats.
