A recent cybersecurity investigation has unearthed a revamped version of malware named ValleyRAT, which is currently being circulated as part of a fresh campaign.
The updated ValleyRAT incorporates new functionalities, including screen capturing, process filtering, forced system shutdown, and the clearing of Windows event logs, as noted by researchers at Zscaler ThreatLabz, Muhammed Irfan V A, and Manisha Ramcharan Prajapati.
Previously documented in 2023 by QiAnXin and Proofpoint, ValleyRAT was associated with a phishing initiative aimed at Chinese-speaking users and Japanese organizations. This campaign disseminated various malware strains such as Purple Fox and a variant of the Gh0st RAT trojan named Sainbox RAT (also known as FatalRAT).
Attributed to a threat actor based in China, ValleyRAT exhibits capabilities to harvest sensitive data and deploy additional payloads on compromised systems.
The infection begins with a downloader utilizing an HTTP File Server (HFS) to retrieve a file named “NTUSER.DXM,” which, when decoded, yields a DLL file responsible for downloading “client.exe” from the same server.
The decrypted DLL is programmed to identify and terminate anti-malware solutions from Qihoo 360 and WinRAR to avoid detection. Subsequently, the downloader fetches three more files – “WINWORD2013.EXE,” “wwlib.dll,” and “xig.ppt” – from the HFS server.
Following this, the malware executes “WINWORD2013.EXE,” a legitimate executable associated with Microsoft Word, to load “wwlib.dll,” establishing persistence on the system and loading “xig.ppt” into memory.
Continuing the execution process, the decrypted “xig.ppt” decrypts and injects shellcode into svchost.exe. The shellcode, containing configuration to contact a command-and-control (C2) server, downloads the ValleyRAT payload in the form of a DLL file.
ValleyRAT employs a complex multi-stage process to infect systems with the final payload, facilitating malicious operations. This approach, coupled with DLL side-loading, likely aims to evade host-based security solutions like EDRs and antivirus applications.
Meanwhile, Fortinet FortiGuard Labs has uncovered a phishing campaign targeting Spanish-speaking individuals with an updated version of the Agent Tesla keylogger and information stealer. This attack leverages Microsoft Excel Add-Ins (XLA) file attachments to exploit known vulnerabilities (CVE-2017-0199 and CVE-2017-11882), initiating JavaScript code execution to load a PowerShell script. The script then launches a loader to retrieve Agent Tesla from a remote server.
This variant of Agent Tesla harvests credentials, email contacts, and basic device information from victims, including Thunderbird email client contacts.
Source: thehackernews.com
