ValleyRAT is a multi-stage malware that supports multiple techniques to monitor and control compromised devices. The malicious code is also used to deploy arbitrary plugins on the infected systems. A noteworthy characteristic of ValleyRAT malware is the heavy usage of shellcode to execute its many components directly in memory.
FortiGuard Labs researchers warn of an ongoing ValleyRAT malware campaign that is targeting Chinese-speaking users.
In the first stage of the attack chain, the malware disguises itself using icons of legitimate applications like Microsoft Office and uses filenames related to financial documents to lure users, such as “Industrial and Commercial Annual Report Master.exe” and “View Details.exe.” It also creates an empty file named “dome.doc” and attempts to open it with the default application for Microsoft Word documents to make the deception more convincing. If no default application is set, it displays an error message.
When executed, the malware creates a mutex named “TEST” to ensure only one instance runs on the system. It then deletes specific registry entries potentially left by previous installations of the malware and stores the IP address and port of its C2 server in the registry entry HKEY_CURRENT_USER\Software\Console\IpDateInfo
.
The malicious code checks if it’s running in a virtual machine by enumerating all services and looking for VM-related strings like “VMWARE Tools,” “VMWare 共享,” “Virtual Machine,” and “VirtualBox Guest” in service display names. If it detects any of these, it displays a blank error message box and halts its execution.
“Before the shellcode is executed to load the next stage, this malware uses a known technique called sleep obfuscation to evade memory scanners. This involves adding a callback functionality to Sleep or similar APIs that modify the permissions of the allocated memory where the malicious code resides to values not commonly deemed suspicious by scanners.” reads the analysis published by Fortinet. “Furthermore, during this process, the malicious shellcode is encoded with a simple XOR operation to evade pattern-based signatures.”
ValleyRAT executes its components directly in memory using shellcode blocks, similar to a shellcode found on GitHub and associated with older malware campaigns detected as W64/Agent.CCF!tr by Fortinet. Once initialized, the malware decrypts shellcode using AES-256 with a key derived from a hardcoded value and further processes it with XOR to reveal the final shellcode. It then obfuscates its execution with a sleep routine and executes the shellcode through the EnumSystemLocalesA API. The shellcode employs the BKDR hashing algorithm to obfuscate API names and searches for target APIs by traversing the Process Environment Block (PEB). It then reflectively loads an embedded DLL, adjusting its base and resolving imports before executing its entry point, typically for a beaconing module.
The beaconing module contacts a C2 server to download two components, respectively named RuntimeBroker and RemoteShellcode, set persistence on the host, and gain administrator privileges by exploiting a legitimate binary named fodhelper.exe and achieve a UAC bypass. The malware also abuses the CMSTPLUA COM interface for privilege escalation.
RuntimeBroker is used to retrieve a component called Loader from the Command and Control (C2) server. The Loader operates similarly to the first-stage loader, executing the beaconing module to continue the infection. It also includes checks to detect if it’s running in a sandbox and scans the Windows Registry for keys related to Chinese apps like Tencent WeChat and Alibaba DingTalk, suggesting that the malware specifically targets Chinese systems.
RemoteShellcode fetches the ValleyRAT downloader from the C2 server, then uses UDP or TCP sockets to connect to the server and receive the final payload.
The malware attempts to evade detection by adding its root drive to the Windows Defender exclusion list using a PowerShell command. It uses pipes to execute commands in a new PowerShell process, likely to bypass security tools that inspect command arguments. By default, it excludes the “C:\” drive, but will exclude other drives if the malware runs from them.
The malware attempts to kill antivirus (AV) processes, specifically those from Chinese AV products, by terminating processes with certain executable names. If any of these processes remain active, the malware injects shellcode with an embedded DLL into the lsass process, which grants it higher privileges, then also attempts to terminate AV processes, and modifies registry settings to disable or weaken the AV products’ autostart capabilities.
Experts attribute the ValleyRAT to an APT group called “Silver Fox”. The capabilities implemented by the malware are focused on graphically monitoring the user’s activities and delivering other plugins and possibly other malware to the victim system.
ValleyRAT can remotely control compromised systems, load additional plugins, and execute files on the victim system.
“This malware involves several components loaded in different stages and mainly uses shellcode to execute them directly in memory, significantly reducing its file trace in the system. Once the malware gains a foothold in the system, it supports commands capable of monitoring the victim’s activities and delivering arbitrary plugins to further the threat actors’ intentions.” concludes the analysis.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)