HQ/EMEAFind out how we can help your business
A new version of the sophisticated ValleyRAT malware, notorious for spreading through phishing emails, instant messaging networks, and infected websites, has transitioned to a new tactic.
Reports revealed that the current version distributes the malware via a fake Chinese telecom business website called “Karlos.” The website downloads a number of files, including a .NET executable that checks for administrator credentials and downloads further components, including a DLL file.
The researchers also revealed that the initial infection vector is a bogus Chrome browser download from anizomcom/. This tactic deceives the user into downloading and running the malware.
In addition, the sscronet.dll file, which the malware operators purposefully named with a legitimate-sounding identity to avoid suspicion, injects code into the legitimate svchost.exe process. It acts as a monitor and terminates any programs on a specified exclusion list to prevent interference with malware execution.
Next, the virus uses a modified version of the Douyin executable for DLL side-loading and a legitimate Tier0.dll from Valve games to run code hidden within the nslookup.exe process. This method extracts and decrypts the core ValleyRAT payload.
The decrypted payload executes the malware in memory using the Donut shellcode to avoid typical disk-based detection methods. In some instances, it can also try to disable security features such as AMSI and ETW.
ValleyRAT is a traditional trojan that is capable of various capabilities.
ValleyRAT is a C++-based remote access trojan that performs basic trojan functions such as accessing the WinSta0 window station for screen, keyboard, and mouse interaction and monitoring the victim’s screen.
Furthermore, it includes strong anti-VMware checks to bypass detection in virtualised environments and communicates with its C2 server using IP addresses and ports that are initialised in its code during installation.
If the virus does not identify that it is running within a VM, it will attempt to connect to baidu.com as part of its network communication check.
The malware operator’s evolving strategies and evasion techniques show the increasing sophistication of new attacks. Therefore, organisations should implement an effective security plan that includes stricter endpoint protection, personnel training, and constant monitoring to mitigate such threats.
