Back

A Deep Dive into a New ValleyRAT Campaign Targeting Chinese Speakers

Aug. 16, 2024, 2:51 p.m.

Tags

windows registry
shellcode
valleyrat
2024-08-16
sandbox evasion
cmstplua com class

External References

https://www.fortinet.com/

https://otx.alienvault.com/

Description

FortiGuard Labs recently encountered an ongoing malware campaign specifically targeting Chinese speakers. The attack utilizes a multi-stage malware named ValleyRAT, which employs diverse techniques to monitor and control victims while deploying arbitrary plugins. A notable characteristic is its heavy usage of shellcode to execute components directly in memory, reducing its file footprint. The campaign involves masquerading legitimate applications, sandbox evasion, privilege escalation, and downloading additional components from the Command and Control server. The malware ultimately aims to monitor user activities and deliver malicious plugins.

Date

Published Created Modified
Aug. 16, 2024, 2:26 p.m. Aug. 16, 2024, 2:26 p.m. Aug. 16, 2024, 2:51 p.m.

Indicators

fb73e089d0a276617b9a213080f84d0e411592c7db5548790e3fe1c53295f5a3

ebd3a506c226e98dcedc1b882a11addd25ded8ee5110249b5b1a391e4d77d327

d63792ee67c6f1702188695387c64991029dabd702d48eac3ea3f0eef280d4a1

d208b80a6608c72c3c590f86d93b074533c0c4ef8a46b6d36ed52cc2b4c179d5

ce8224de916a5eb0c76c9ba7acc3833f8cdc7f7d31a72dfbe69d2be1f8b7cc48

c486ca7291799a7474196c7cf60158421a2d81697e24e693e76cd1da06b9bf1c

b50ad87cd7ce19ae30cb709ea3ceb7107b129c64ec9c314157fc6a8df079262b

ad9bd41e73eff193caab25960b6a990641ea8d412b5ba456b64ad165b7216c48

ad753becec205160b78de45c11ed42f3da707c9cee0688fa4190233a9b4f1379

aae7f34bdc0aa362bb42eb5e4cff69b60d67f7f155a3e2b9b905c90a1cc2aac4

a676c7490086a4112f920936e57ee49e213aaffd12bb38bc433a073ddfae0f24

a47423b59d75e228198450f7a9a2e051eeca6388028a6deb8e9843951bf21575

8b7d3de2c77c59663ec5d8969b688530a3c9228b72807bc17a9822d558c42ee8

8a6b352c45e48e3564e259ade4f544d01900e8c3f9a74e52ae3bc62f74ddf013

8790506401a3bac69f6669a3dd832650e4752ff68dd6f0cef35b43e6ad59d7df

8378960ee2bfc32930e19f762f561f4a6448160de2bde6ce330309326d745f89

7b98622db7a62ace626dcc8af5bb7ac3726a968241c94612c5b9cb906175f5f3

76b1c8b026ac9e72ffe8ac1dd8d18abfbb4eb9c23bccb42ab9af2580ed72b7ad

72542f81546656de73e009b541ed12cbcc9feced4f6ab79f9e9a0ee9df148b6a

7172dff66af9c34958a3b095210664c26a934b5f734b64ea3170f1507a120503

583001d3d4dc0a72c92cf27a390e95e1fad6229d18ab255b625985939eb4b90f

47d7ce4ce72ca7e0cebab472e2165a1ebbd9395a60d7478990fd4dbec2eb195f

24a871b7b837b217d271747337381fbbcff61edfe44e087c55921564b170a8c9

22bfdc52a65905088b8b897a630c66c16ec5c2eba992c1c0722e5c8da9afa181

1ded5a6c54a7b10365c41bc850ce41f18d86435fbe9315c37bd767ecdf255135

17ff585fadcf40e25ad9d09cf007d20f6691ccf31d93a5d48d25f7e811cb0ca4

14bf52de60e60a526141ffe61ef5afc2a3bc7d60d4086e644ec80e67513d2684

12ae203fa199291754649a4e592fb0880339c88b07f1d69798114afca06b8061

1235419877ccc1f1820cc75e773fe79f9ad0296dd8eea9aa44f511a7b6348cfd

0a971e606e839e7d5e72dcea0a8a3d081c951250ce25b0ddaf2429bad87ebe3d

02c8f22e9d2df7e051fffc49c7d2d240787fbe8395b4c3c96be40b5a111a03ce

02aed2b21a90c82d2ca597340aabfa1d6c52302b08aa9f58e87893f6997c2681

154.92.19.81

154.82.85.12

Attack Patterns

ValleyRAT

Silver Fox

T1038

T1568

T1137

T1548

T1572

T1012

T1497

T1105

T1083

T1543

T1055

T1036

T1033

T1027

T1053

T1112

T1562

T1059