Threat Bulletin: Weaponized Software Targets Chinese-Speaking Organizations

Jan. 20, 2025, 11:49 a.m.

Description

A series of attacks targeting Chinese-speaking regions has been identified, utilizing a multi-stage loader named PNGPlug to deliver ValleyRAT payload. The attack begins with a phishing webpage encouraging victims to download a malicious MSI package disguised as legitimate software. The installer deploys a benign application and extracts an encrypted archive containing malware components. The PNGPlug loader sets up the environment for malware execution, including patching ntdll.dll and injecting payloads from PNG files. ValleyRAT, attributed to the Silver Fox APT, employs advanced techniques like shellcode execution, obfuscation, and persistence mechanisms. The campaign stands out due to its focus on Chinese-speaking victims across China, Hong Kong, and Taiwan, treating these regions as a unified target despite their political differences.

External References

https://intezer.com/blog/malware-analysis/weaponized-software-targets-chinese
https://otx.alienvault.com/pulse/678e2ef4f93f85cffbe82ebc
Tags
espionage
gh0st rat
valleyrat
2025-01-20
pngplug

Date

  • Created: Jan. 20, 2025, 11:09 a.m.
  • Published: Jan. 20, 2025, 11:09 a.m.
  • Modified: Jan. 20, 2025, 11:49 a.m.

Indicators

  • fa26722e99763a29af160fae64183a47a57362b666753624b78e954c8cde0525
  • e9e4751c88d3a1a4bfdd5d07bb35636787b0d6fbf68b17642d3fe03cbe5ebf70
  • f2f96e5ac1b4bd6cac49c71ca2010dcbe5751757483520cfc7dddf4fb7186044
  • e54ce9939679c691dc5719e309a8d541183b6672269fd61013109ef0d8509b1e
  • e49b085f5484531395b5a7903f004b2a02a2b4ebfa46116d1a665ba881b1f528
  • d9e939f904a1cddf5fb8ffba14acbfe227ed5dfc4990b52a44d4dfd0baa6de4e
  • de8a0da702a491f610b9e85050d8641cadf4ed84edf4d151f94335b0d78d6636
  • cd347b9f558cf024df1dbb62ed7a0d72a2edc04b1330058cfa1baf4fc3894e03
  • d51db234d0236cd0dbfcf13adc33387f10920011537815d188eff012872e30be
  • d0ce85ec31053478c67e4f53ca2ef9b7b1f0fda74621c9c7c8c1612772ca778c
  • c636120749b49f47fc8d42409ead6c51ea44bc40c815370997ca63f48acdf002
  • c5d5054047a12efc68a67abd8f15069a853dd09800cd39d68df5a27702b45334
  • c497506fe2df57c39fcf92398f4864ca4bfcb1a6f2f80c3c520166bc61882855
  • c070749f95aeeefcd1c3a875c1b8e77b57cad0c8338436af9a3c9e1323fd4e11
  • ad23f5c9bab137dc24343fc410f7587885aab6772dee5e75a216ed579c6ee420
  • ae6d88ea99e530f778ee6088862b50dfb6e8bb45857211e9105428c57c2a7b4a
  • a97371df7d51fe0aee1d54b5b233a1713f69224802b1da35337a3041788990e6
  • 9d97f3f55bc647911e14a36c83f263e91662cf9d13a2fc3ec7c92dedb8977d37
  • 9bd53057c8905d508374698e2595301f0be1529ec4ebfa71c09ad0c01a562982
  • 9aea0fdfead2e956bc0b4574c2b4cb2855dd9df6a5fd61d350f3285d249adfca
  • 9aa51d1c82fdbc8f0f27340180bd40faa7e76b8ac6d204b2d3548cfd0897d805
  • 99fb7a40dbf6a042bcb77f67a5a76fe03ec3c6820ac5e15cb009795d545152ea
  • 94ff4679dd5aec7874354c14132701ecdfbbb558c6011e4952d13bf843255529
  • 7eaed6fa867875119c3ebb40aa24716d91fdbccb2106fa4708ff0637920a920c
  • 8aa28f35dbafc18a37b07fd15bb599e3c8de5b692117f1c6fd491bd03028a423
  • 7c31c4d0308fb1d67f6af48a76138a9db19f494c1e9a12debdcca7382ad5418c
  • 7bff2404c2816c4e1576d449820f01e3f46e7c972beb1843e3b8da2e065f8dc3
  • 79acdca5247ca9719f2f3a34c7942cd60b209f7b616efa5dd81e6656a8baf9a5
  • 76fc76dc651c3cc9d766a6ad8a90f605326463bc4cb2f8f053d44dfbc913beee
  • 6d4dd4334791c91bb09e7a91dd5c450b2c6e3348a5586de011c54ce3f473f619
  • 70facc8ad5db172e235b4cc720a0edaedd4470b8a6ec5da8dee2758f4a1aafef
  • 6d2a4d9e2fc6e4dac2c426851b4bdf86dd63a5515d8d853e622a0bc01d250ce9
  • 659ede632d3bfc28d143c144fdba34d08b21c4f97ce6c9dc1fcd4d2bf5cc25e3
  • 5f9a5ad43a9f79976cd7014ce072429ef2edbae872b4226372cfb07d8a86b8a5
  • 58416315c61ed5cb2c754244ed5c081963dabf3e698b04226a00f978cd913e84
  • 517b43bf057877727387316d8538dc07599856eb428d43f512e89964a5dfb331
  • 50a64e97c6a5417023f3561f33291b448ce830a4d99c40356af67301c8fa7523
  • 504d7714419931f80b734e212a9431ec98887c56ade8966c4d7cae58b28d49ca
  • 4b6bf40dc331c89e416ef012a6dc4f55c83136197be7115246b42e4f7a828baa
  • 4d64c2d1ae0de0f3066a6c020ab7aa5a9dd487c0cf1ff1ca2e93d98ff30e039f
  • 4a68bdfa3e31a8c063bbf94469160eb7998a556027d5ad33f37c347a71c2d3a4
  • 46af73560cafff5c8bbc16980d01641af0de3b689bc248dfb52afcf3a8a76a55
  • 463c9704fb009cd13e0ef50fa7d5035aa5f35b4841fe75ecab5c4a276601f837
  • 3fc35cab1272f769af309cb46375e21680f13d629181c7646cb0cf2c9b2e72e7
  • 3ac3ca18142a935608cb0d2c8d6421ebb9abc30bce93f094447b9c3f63fe791b
  • 33bc111238a0c6f10f6fe3288b5d4efe246c20efd8d85b4fe88f7d602d70738e
  • 30147b6691e5bc1a15c76cebf81b2de77d9099e8200b6ed9742c6e3b36505f34
  • 16bb3968e1112b63fef8a4e7bda9d021dfef6fd1955fdfa677545535a14a65b4
  • 0b33f08bc2917c4825c053754fc88e16b35d1a8fff4135595b265a4c6f850250
  • 08dad42da5aba6ef48fca27c783f78f06ab9ea7a933420e4b6b21e12e550dd7d
  • 156.247.33.53
  • 45.195.148.107
Download all indicators here!

Attack Patterns

  • PNGPlug
  • gh0st RAT - S0032
  • ValleyRAT
  • Silver Fox

Additional Informations

  • Hong Kong
  • Taiwan
  • China