ValleyRAT Insights: Tactics, Techniques, and Detection Methods

Oct. 25, 2024, 3:52 p.m.

Description

ValleyRAT is a remote access Trojan targeting Chinese-speaking users through phishing campaigns. It employs multi-stage, multi-component tactics to evade detection and maintain persistence. The malware uses various techniques including process injection, registry manipulation, and UAC bypass. It attempts to disable antivirus software and evade sandboxes. ValleyRAT creates scheduled tasks and modifies registry keys for persistence. The analysis reveals its use of MITRE ATT&CK techniques such as startup folder manipulation, process injection, and command and control communication. The blog provides insights into ValleyRAT's tactics and offers detection methods to defend against this evolving threat.

External References

https://www.splunk.com/en_us/blog/security/valleyrat-insights-tactics-techniques-and-detection-methods.html
https://otx.alienvault.com/pulse/671b62a3d9bd586a96114f9c
Tags
phishing
evasion
persistence
valleyrat
remote access trojan
2024-10-25
uac bypass
chinese-speaking targets

Date

  • Created: Oct. 25, 2024, 9:19 a.m.
  • Published: Oct. 25, 2024, 9:19 a.m.
  • Modified: Oct. 25, 2024, 3:52 p.m.

Indicators

  • a67e68ae707f413ef9e64fa53d661c3f60c7bf466af1b547da818d9ac01e10a0
  • d208b80a6608c72c3c590f86d93b074533c0c4ef8a46b6d36ed52cc2b4c179d5
  • 14bf52de60e60a526141ffe61ef5afc2a3bc7d60d4086e644ec80e67513d2684
Download all indicators here!

Attack Patterns

  • ValleyRAT
  • T1016.001
  • T1548.002
  • T1547.001
  • T1012
  • T1497
  • T1562.001
  • T1071
  • T1055
  • T1053

Additional Informations

  • China