HQ/EMEAFind out how we can help your business
A newly discovered phishing campaign that deploys ValleyRAT and Sainbox RAT exclusively targets Chinese-speaking users. The campaign is a sophisticated operation that could distribute two malware strains.
This malicious campaign has been active since the start of 2023 and expanded its scope over time. Over 30 attack campaigns are utilising these malware families, with 20 movements recorded just since April of the same year.
ValleyRAT and Sainbox RAT have gone through several TTPs before their launch.
The ValleyRAT and Sainbox RAT operators have leveraged various techniques in their phishing campaigns to bait unsuspecting victims. They deliver these payloads through diverse infrastructure, sender domains, and invoice-themed emails.
One incident that involves this attack is the fraudulent emails that pose as communication from Chinese offices and invoicing companies. These malicious emails deceive users into downloading the Sainbox RAT onto their systems. In addition, the confirmed targets of these attacks are the manufacturing and technology sectors.
On the other hand, ValleyRAT debuted in this campaign in March, with at least six documented attacks. Furthermore, these malware operators displayed sophistication by employing messages in Japanese to expand their scope.
At least three incidents involving this campaign feature Japanese-language invoice themes. The phishing operators sent the emails to Japanese organisations and launched the Purple Fox malware.
The inclusion of ValleyRAT in this campaign has escalated the situation. It is one of the most malicious malware strains written in C++. It commonly operates like a remote access trojan and leverages raw sockets with a custom protocol to communicate with its C2 server.
Upon its launch, it employs the MD5 algorithm to encrypt and send sensitive system information such as the operating system, kernel version, CPU specifications, architecture, and hardware profile.
ValleyRAT and older malware families could significantly threaten various organisations. Therefore, every security team should prepare for the worst, as threat actors will likely improve their capabilities in their cybercriminal operations in the future.
Organisations should equip themselves with situational and strategic awareness to mitigate these threats effectively. Finally, with the emergence of such campaigns, proactive cybersecurity defence is the key to lessening or preventing these devastating cyberattacks.
