New Updates to ValleyRAT
June 10, 2024, 4 p.m.
Tags
External References
Description
Zscaler ThreatLabz recently uncovered a new campaign used to deliver the latest iteration of ValleyRAT, a remote access trojan attributed to a China-based threat actor. The campaign involves multiple stages, with the initial stage downloader utilizing an HTTP File Server (HFS) to fetch subsequent components. The malware employs various evasive techniques such as anti-virus checks, DLL sideloading, and process injection. ValleyRAT's latest version introduces new capabilities like capturing screenshots, process filtering, forced shutdowns, and clearing Windows event logs. Additionally, it enhances device fingerprinting and bot ID generation mechanisms.
Date
Published: June 10, 2024, 3:41 p.m.
Created: June 10, 2024, 3:41 p.m.
Modified: June 10, 2024, 4 p.m.
Indicators
f5ebe440931d1d003a51133ad1f727daf2410ba50d9f51818938c269bb7fe806
e4163490b168b5529fc9b3d60ad6f18bfae0a9eaaf462388fe7f9f53becf5aa9
8b6694896f82a64ce6fd01d6f724c7ec64596577afd84e690377eb4c5bbe3ca3
6b31ef2e4c43ee9fcdf3eeff0be269fa4c31aba5640e58c68c8865b3e625db0e
646e7831bb18374b9abac184f1c6b9ab5e1ae3d919b8a7b311ac824fa869ceef
41d7e67176eb1c406fb8c545e4d14fa694a63bf38aa7423d61d8cd48999e40ce
61d7aacc11ca248ae8c54bd56f3603a592435baa7fb36b5822e7b62e5c8fcd61
36c9500e41f43ef142c73d781669e976e44c472e55a67e27badb5e7f226d188b
35cf0e36dd5c8ca090b51704dfdad6d939067b61f468f2e181dd0c2b5444bb9d
2ad2dea7acc4cee8554a072d445bbee5c0ddfcf6b5bd1a2da8eb78c3bea96cba
24daf0b69dcc17c24bbc858d166cc85270bf82ab57bc159e88f193c7dc0b1501
1cf712b65cb67a06b0376921ffe2a697fc34284140eb6c79738daee3367dfec8
2393fe7adb5f51d741323d06a5acf477a88e29b6a365b646565750ddb43088e9
43.132.235.4
43.132.212.111
43.129.233.99
124.156.134.223
43.129.233.146
101.33.117.200
119.28.41.143
119.28.32.143
wenjian2024.com
fpwenj.zhangyaodong5.com
tzsxr.com
kfurl.cn
scpgjhs.com
Attack Patterns
ValleyRAT
T1120
T1010
T1574.002
T1113
T1518.001
T1529
T1082
T1057
T1083
T1071
T1055
T1036
T1140