Morphisec Threat Labs has uncovered cunning new delivery techniques used by ValleyRAT, a sophisticated multi-stage malware attributed to the Silver Fox APT.
The malware, which primarily targets key roles in finance, accounting, and sales, has evolved with updated tactics, techniques, and procedures (TTPs), including the reuse of URLs and the exploitation of gaming binaries for payload injection.
Targeted Attack Strategies
The Silver Fox APT uses a host of distribution methods to achieve its nefarious goals, including phishing emails, malicious websites, and IM platforms. The latest attacks also reveal a strategic shift, by targeting more high-value roles within organizations to access sensitive data and systems.
Previous campaigns relied on .bat and .ps1 scripts, using installer files disguised as legitimate software, such as 7ZSfxMod_x86.exe and IconWorkshop.exe. The attackers exploited signed executables vulnerable to DLL search order hijacking, leveraging files like ShellExperienceHosts.exe and Firefox Setup 132.0.2.exe.
New Exploitation Methods and Delivery
In a recent campaign, the attackers created a domain impersonating a Chinese telecom company, ‘Karlos,’ and distributed the malware through a fake SMS service provider website (https://karlost[.]club/). The payload, named “SMS International Channel”, was delivered through a trojanized Chrome browser download from https://anizom[.]com/.
The infection process begins when a user downloads and executes a Setup.exe file (originally fotuy.exe), which then performs privilege escalation and system reconnaissance. The malware downloads and executes four key files:
- sscronet.dll
- douyin.exe
- mpclient.dat
- tier0.dll
These files are stored in C:\Program Files (x86)\Common Files\System\, ensuring persistence and obfuscation.
ValleyRAT Execution Chain and Persistence
The malware authors continue to leverage DLL hijacking, now targeting gaming binaries sourced from Steam. Recent observations indicate the use of executables from Left 4 Dead 2 and Killing Floor 2 to facilitate payload injection.
The sscronet.dll file is loaded using LoadLibrary, which executes two functions: Cronet_UrlRequest_Start and Cronet_UrlRequest_Read. The former searches for the svchost.exe process allocates memory, and injects malicious code, while the latter ensures persistence by modifying Windows Registry settings under Software\Microsoft\Windows\CurrentVersion\Run.
Additionally, douyin.exe (a legitimate Douyin application) is exploited via DLL sideloading, allowing attackers to execute their payload stealthily.
Advanced Evasion Techniques
The malware uses multiple stealth mechanisms, including:
- Keylogging: It logs keystrokes and then stores them in sys.key within the ProgramData directory.
- Screen Monitoring: Uses EnumDisplayMonitors to collect screen information, potentially facilitating screen capture or remote control.
- Anti-VM Checks: Detects VMware environments by scanning for VMware Tools and checking system memory and HDD size. If running in a virtualized environment, execution may be altered or terminated.
- Process Monitoring: Injects a DLL into svchost.exe to prevent security applications from launching, ensuring uninterrupted operation.
Upon successful installation, ValleyRAT initiates communication with its command and control (C2) infrastructure. The malware includes predefined C2 IP addresses and ports within its code and conducts network checks by attempting connections to www.baidu.com.
Be Vigilant, Always Check the Source
Jamie Akhtar, CEO and Co-founder of CyberSmart, says: “ValleyRAT is by now a well-established malware, having been around since at least 2023. However, what makes this instance notable is that it appears to have grown more sophisticated, both in terms of the techniques used and its targets.”
For now, Akhtar says this campaign appears to be mainly targeted at Chinese entities. “However, if there’s one thing for certain about cybercriminals, it’s that someone will copy this approach and apply it to Western companies. With that in mind, we urge anyone working in a role processing high-value sensitive data, like sales or accounting, to be extra vigilant when downloading tools like browsers or browser extensions. It’s always worth double-checking that the source looks right.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
