TLDR:
- Chinese-speaking users targeted by sophisticated ValleyRAT malware attack
- ValleyRAT spreads through malicious email URLs containing compressed executables
Researchers at ANY.RUN have identified a cyber campaign targeting Chinese-speaking users, spreading the ValleyRAT malware through malicious email URLs. ValleyRAT is a multi-stage malware that establishes persistent backdoors on infected systems, allowing attackers to monitor and control devices. The malware is capable of data exfiltration, ransomware attacks, and the creation of botnets, posing a significant threat to security. The attack utilizes sophisticated techniques to evade detection, making it crucial for individuals and organizations to implement robust cybersecurity measures.
ValleyRAT was analyzed in the ANY.RUN sandbox, revealing its complex attack chain involving malicious executables, decoy documents, shellcode, and connections to command-and-control servers. The malware exploits vulnerabilities in legitimate binaries like fodhelper.exe and CMSTPLUA COM interface to escalate privileges and maintain persistence on compromised systems. With components like RuntimeBroker and RemoteShellcode, ValleyRAT facilitates remote code execution, file management, and the loading of additional plugins, enhancing its threat level.
Analyses within the sandbox also identified obfuscated malicious activity using legitimate tools like MSBuild.exe, along with hidden communication channels to command-and-control servers. The specific focus of ValleyRAT on Chinese applications like Tencent, WeChat, and Alibaba DingTalk reinforces its targeting of Chinese systems, highlighting the need for heightened vigilance and cybersecurity awareness among Chinese-speaking users and organizations.