A Deep Dive into a New ValleyRAT Campaign Targeting Chinese Speakers
Aug. 16, 2024, 2:51 p.m.
Tags
External References
Description
FortiGuard Labs recently encountered an ongoing malware campaign specifically targeting Chinese speakers. The attack utilizes a multi-stage malware named ValleyRAT, which employs diverse techniques to monitor and control victims while deploying arbitrary plugins. A notable characteristic is its heavy usage of shellcode to execute components directly in memory, reducing its file footprint. The campaign involves masquerading legitimate applications, sandbox evasion, privilege escalation, and downloading additional components from the Command and Control server. The malware ultimately aims to monitor user activities and deliver malicious plugins.
Date
Published: Aug. 16, 2024, 2:26 p.m.
Created: Aug. 16, 2024, 2:26 p.m.
Modified: Aug. 16, 2024, 2:51 p.m.
Indicators
fb73e089d0a276617b9a213080f84d0e411592c7db5548790e3fe1c53295f5a3
ebd3a506c226e98dcedc1b882a11addd25ded8ee5110249b5b1a391e4d77d327
d63792ee67c6f1702188695387c64991029dabd702d48eac3ea3f0eef280d4a1
d208b80a6608c72c3c590f86d93b074533c0c4ef8a46b6d36ed52cc2b4c179d5
ce8224de916a5eb0c76c9ba7acc3833f8cdc7f7d31a72dfbe69d2be1f8b7cc48
c486ca7291799a7474196c7cf60158421a2d81697e24e693e76cd1da06b9bf1c
b50ad87cd7ce19ae30cb709ea3ceb7107b129c64ec9c314157fc6a8df079262b
ad9bd41e73eff193caab25960b6a990641ea8d412b5ba456b64ad165b7216c48
ad753becec205160b78de45c11ed42f3da707c9cee0688fa4190233a9b4f1379
aae7f34bdc0aa362bb42eb5e4cff69b60d67f7f155a3e2b9b905c90a1cc2aac4
a676c7490086a4112f920936e57ee49e213aaffd12bb38bc433a073ddfae0f24
a47423b59d75e228198450f7a9a2e051eeca6388028a6deb8e9843951bf21575
8b7d3de2c77c59663ec5d8969b688530a3c9228b72807bc17a9822d558c42ee8
8a6b352c45e48e3564e259ade4f544d01900e8c3f9a74e52ae3bc62f74ddf013
8790506401a3bac69f6669a3dd832650e4752ff68dd6f0cef35b43e6ad59d7df
8378960ee2bfc32930e19f762f561f4a6448160de2bde6ce330309326d745f89
7b98622db7a62ace626dcc8af5bb7ac3726a968241c94612c5b9cb906175f5f3
76b1c8b026ac9e72ffe8ac1dd8d18abfbb4eb9c23bccb42ab9af2580ed72b7ad
72542f81546656de73e009b541ed12cbcc9feced4f6ab79f9e9a0ee9df148b6a
7172dff66af9c34958a3b095210664c26a934b5f734b64ea3170f1507a120503
583001d3d4dc0a72c92cf27a390e95e1fad6229d18ab255b625985939eb4b90f
47d7ce4ce72ca7e0cebab472e2165a1ebbd9395a60d7478990fd4dbec2eb195f
24a871b7b837b217d271747337381fbbcff61edfe44e087c55921564b170a8c9
22bfdc52a65905088b8b897a630c66c16ec5c2eba992c1c0722e5c8da9afa181
1ded5a6c54a7b10365c41bc850ce41f18d86435fbe9315c37bd767ecdf255135
17ff585fadcf40e25ad9d09cf007d20f6691ccf31d93a5d48d25f7e811cb0ca4
14bf52de60e60a526141ffe61ef5afc2a3bc7d60d4086e644ec80e67513d2684
12ae203fa199291754649a4e592fb0880339c88b07f1d69798114afca06b8061
1235419877ccc1f1820cc75e773fe79f9ad0296dd8eea9aa44f511a7b6348cfd
0a971e606e839e7d5e72dcea0a8a3d081c951250ce25b0ddaf2429bad87ebe3d
02c8f22e9d2df7e051fffc49c7d2d240787fbe8395b4c3c96be40b5a111a03ce
02aed2b21a90c82d2ca597340aabfa1d6c52302b08aa9f58e87893f6997c2681
154.92.19.81
154.82.85.12
Attack Patterns
ValleyRAT
Silver Fox
T1038
T1568
T1137
T1548
T1572
T1012
T1497
T1105
T1083
T1543
T1055
T1036
T1033
T1027
T1053
T1112
T1562
T1059