Researchers at ANY.RUN uncovered a sophisticated attack targeting Chinese-speaking users. The attack is spreading multi-stage malware known as ValleyRAT, which is designed to infiltrate systems and establish persistent backdoors, allowing attackers to monitor and control infected devices.
Once installed, ValleyRAT deploys additional plugins to expand its capabilities and inflict further damage, potentially including data exfiltration, ransomware attacks, or the creation of botnets.
It poses a significant threat to the security of Chinese-speaking individuals and organizations, emphasizing the need for robust cybersecurity measures and vigilance against such sophisticated attacks.
A cyber campaign targeting Chinese-speaking users has been identified, employing email messages containing malicious URLs that link to compressed executables containing the ValleyRAT malware, a sophisticated threat capable of evading detection by executing directly in memory.
ValleyRAT’s capabilities include persistence and privilege escalation, allowing it to maintain a foothold on compromised systems and gain unauthorized access to sensitive data. The campaign, first observed in June 2024, continues to evolve with refined techniques to evade detection and enhance its impact.
The attack chain starts with a malicious executable disguised as a legitimate application. Once executed, it drops a decoy document and loads shellcode to establish a connection with a C2 server.
Try all features of ANY.RUN sandbox with a 14-day free trial
From the server, it downloads RuntimeBroker and RemoteShellcode, which are used to gain persistence and administrator privileges. By exploiting vulnerabilities in legitimate binaries like fodhelper.exe and the CMSTPLUA COM interface, the attackers further escalate privileges on the compromised system.
RuntimeBroker, a key component of ValleyRAT, functions as a secondary loader whose primary role is to fetch additional malware from a remote command-and-control (C2) server and then initiates a fresh infection cycle, incorporating additional safeguards to detect and evade virtual environments.
It scans the Windows Registry for specific registry keys associated with popular Chinese applications like Tencent, WeChat, and Alibaba DingTalk, which further reinforces the malware’s specific focus on Chinese systems.
RemoteShellcode acts as a downloader for ValleyRAT, a sophisticated backdoor. Upon execution, RemoteShellcode establishes a network connection with a command-and-control server using UDP or TCP protocols.
The connection facilitates the transfer of the ValleyRAT payload, which, once received, grants attackers remote control over the compromised system.
Its capabilities include remote code execution, screenshot capture, file management, and the ability to load additional plugins, making it a potent threat to security.
ANY.RUN sandbox is a valuable tool for analyzing ValleyRAT’s behavior, which identified MSBuild.exe as executing a file in the Temp directory. While MSBuild is legitimate for building .NET projects, its use here suggests the obfuscation of malicious activity.
Suricata IDS rule detection within the sandbox indicates that attempting to communicate with a command-and-control server points towards a potential malware infection using a legitimate tool and hidden communication channels.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial