ValleyRAT's Intricate Mechanism
Researchers at ANY.RUN have recently unveiled a sophisticated cyberattack specifically targeting Chinese-speaking users. This attack employs a multi-stage malware known as ValleyRAT, designed to infiltrate systems and establish persistent backdoors, enabling attackers to monitor and control compromised devices.
Once installed, ValleyRAT deploys additional plugins that enhance its capabilities, potentially leading to severe consequences such as data exfiltration, ransomware incidents, or the formation of botnets. The implications of this malware are particularly alarming for Chinese-speaking individuals and organizations, underscoring the urgent need for robust cybersecurity measures and heightened vigilance against such sophisticated threats.
The cyber campaign, first detected in June 2024, utilizes email messages containing malicious URLs that link to compressed executables harboring the ValleyRAT malware. This threat is particularly adept at evading detection by executing directly in memory, making it a formidable adversary.
ValleyRAT’s design allows for persistence and privilege escalation, enabling it to maintain a foothold on compromised systems and gain unauthorized access to sensitive information. The campaign continues to evolve, employing refined techniques to enhance its impact and evade detection.
Details of the Attack Chain
The attack chain initiates with a malicious executable masquerading as a legitimate application. Upon execution, it drops a decoy document and loads shellcode to establish a connection with a command-and-control (C2) server.
From this server, it downloads components such as RuntimeBroker and RemoteShellcode, which are instrumental in achieving persistence and administrative privileges. By exploiting vulnerabilities in legitimate binaries like fodhelper.exe and the CMSTPLUA COM interface, attackers further escalate their privileges on the compromised system.
RuntimeBroker serves as a secondary loader, tasked with fetching additional malware from a remote C2 server, thereby initiating a new infection cycle while incorporating safeguards to detect and evade virtual environments.
In a targeted approach, the malware scans the Windows Registry for specific keys associated with popular Chinese applications such as Tencent, WeChat, and Alibaba DingTalk, reinforcing its focus on Chinese systems.
RemoteShellcode functions as a downloader for ValleyRAT. Upon execution, it establishes a network connection with a command-and-control server using either UDP or TCP protocols, facilitating the transfer of the ValleyRAT payload. Once received, this payload grants attackers remote control over the compromised system.
Capabilities and Implications
The capabilities of ValleyRAT are extensive, including remote code execution, screenshot capture, file management, and the ability to load additional plugins, rendering it a significant threat to cybersecurity.
ANY.RUN’s sandbox proves to be an invaluable tool for analyzing ValleyRAT’s behavior. It identified that MSBuild.exe was executing a file in the Temp directory. While MSBuild is a legitimate component for building .NET projects, its usage in this context suggests an attempt to obfuscate malicious activity.
Detection rules from Suricata IDS within the sandbox indicate that attempts to communicate with a command-and-control server point towards a potential malware infection, utilizing legitimate tools and hidden communication channels.
Are You From SOC/DFIR Teams? – Try Advanced Malware and Phishing Analysis With ANY.RUN – 14-day free trial