Cybersecurity researchers are calling consideration to a sequence of cyber assaults which have focused Chinese language-speaking areas like Hong Kong, Taiwan, and Mainland China with a recognized malware referred to as ValleyRAT.
The assaults leverage a multi-stage loader dubbed PNGPlug to ship the ValleyRAT payload, Intezer mentioned in a technical report revealed final week.
The an infection chain commences with a phishing web page that is designed to encourage victims to obtain a malicious Microsoft Installer (MSI) package deal disguised as authentic software program.
As soon as executed, the installer deploys a benign software to keep away from arousing suspicion, whereas additionally stealthily extracting an encrypted archive containing the malware payload.
“The MSI package deal makes use of the Home windows Installer’s CustomAction characteristic, enabling it to execute malicious code, together with working an embedded malicious DLL that decrypts the archive (all.zip) utilizing a hardcoded password ‘hello202411’ to extract the core malware parts,” security researcher Nicole Fishbein mentioned.
These embrace a rogue DLL (“libcef.dll”), a authentic software (“down.exe”) that is used as a canopy to hide the malicious actions, and two payload information masquerading as PNG photos (“aut.png” and “view.png”).
The primary goal of the DLL loader, PNGPlug, is to arrange the atmosphere for executing the primary malware by injecting “aut.png” and “view.png” into reminiscence with the intention to arrange persistence by making Home windows Registry modifications and executing ValleyRAT, respectively.
ValleyRAT, detected within the wild since 2023, is a distant entry trojan (RAT) that is able to offering attackers with unauthorized entry and management over contaminated machines. Current variations of the malware have integrated options to seize screenshots and clear Home windows occasion logs.
It is assessed to be linked to a menace group referred to as Silver Fox, which additionally shares tactical overlaps with one other exercise cluster named Void Arachne owing to using a command-and-control (C&C) framework referred to as Winos 4.0.
The marketing campaign is exclusive for its deal with the Chinese language-speaking demographic and using software-related lures to activate the assault chain.
“Equally placing is the attackers’ refined use of authentic software program as a supply mechanism for malware, seamlessly mixing malicious actions with seemingly benign purposes,” Fishbein mentioned.
“The adaptability of the PNGPlug loader additional elevates the menace, as its modular design permits it to be tailor-made for a number of campaigns.”
