New ValleyRAT Malware Variant Spreading via Fake Chrome Downloads
Summary:
Cybersecurity researchers at Morphisec Threat Labs have investigated a series of indicators of attacks in a campaign that deploys a new version of ValleyRAT malware. Attacks utilizing this malware are frequently attributed to Silver Fox APT. The notable targets of this campaign are high-value individuals within organizations, often in finance, accounting, or sales with the objective of harvesting sensitive data. In the past, ValleyRAT versions have utilized PowerShell scripts masquerading as legitimate software installers. For these campaigns, they often employed DLL hijacking to inject the payload into signed executable files or directly into memory. ValleyRAT is a C++-based remote access trojan with basic RAT functionalities such as accessing the WinSta0 window station for keylogging and monitoring the victim’s screen. It employs anti-VMware checks and executes the malware in memory to evade detection. The payload also attempts to disable AMSI and ETW. The threat actor used the same URL in both the newer and older versions of ValleyRAT.
The infection chain for this newly uncovered ValleyRAT campaign begins when the user downloads a fake Chrome browser from https[:]//anizom[.]com. The phishing website examples analyzed by Morphisec researchers are written in Traditional Chinese, potentially indicating the adversary is targeting Chinese-speaking countries within the APAC region. An additional phishing site was used that purported to be a page for a Chinese SMS provider. The user then downloads the Setup.zip file from the phishing page and executes it. The executable checks if it has administrator privileges and uses ‘runas’ to acquire them if it does not. It then downloads 4 additional files and loads one of the DLLs into memory using LoadLibrary and runs one of the executables. The malware utilizes a modified version of the Douyin (Chinese TikTok) executable for DLL side-loading. A legitimate DLL is then utilized to execute hidden code in a different process to retrieve and decrypt the ValleyRAT payload. The decrypted payload uses the Donut shellcode to execute the malware in memory.
Security Officer Comments:
The resurgence of ValleyRAT, particularly with its updated evasion techniques and focus on high-value targets in finance, accounting, and sales, similar to their past modus operandi, warrants heightened vigilance. The Silver Fox APT's suspected involvement, coupled with the use of Traditional Chinese phishing lures, suggests a targeted campaign likely aimed at the APAC region. The malware's reliance on DLL side-loading, laced legitimate executables (like Douyin), and Donut shellcode for in-memory execution demonstrates a clear intent to bypass traditional security measures. Organizations in potentially affected sectors should prioritize user education on phishing awareness, implement robust endpoint detection and response solutions capable of identifying and blocking these tactics, and proactively hunt for indicators of compromise related to ValleyRAT and Silver Fox APT activity. Further analysis of the malware's persistence mechanisms and full payload capabilities is critical to develop effective countermeasures. There have been multiple ValleyRAT campaigns documented since mid-2024, with a couple of analyses being published in 2025, indicating a surge in Silver Fox APT activity.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
https://hackread.com/valleyrat-malware-variant-fake-chrome-downloads/
https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/
Cybersecurity researchers at Morphisec Threat Labs have investigated a series of indicators of attacks in a campaign that deploys a new version of ValleyRAT malware. Attacks utilizing this malware are frequently attributed to Silver Fox APT. The notable targets of this campaign are high-value individuals within organizations, often in finance, accounting, or sales with the objective of harvesting sensitive data. In the past, ValleyRAT versions have utilized PowerShell scripts masquerading as legitimate software installers. For these campaigns, they often employed DLL hijacking to inject the payload into signed executable files or directly into memory. ValleyRAT is a C++-based remote access trojan with basic RAT functionalities such as accessing the WinSta0 window station for keylogging and monitoring the victim’s screen. It employs anti-VMware checks and executes the malware in memory to evade detection. The payload also attempts to disable AMSI and ETW. The threat actor used the same URL in both the newer and older versions of ValleyRAT.
The infection chain for this newly uncovered ValleyRAT campaign begins when the user downloads a fake Chrome browser from https[:]//anizom[.]com. The phishing website examples analyzed by Morphisec researchers are written in Traditional Chinese, potentially indicating the adversary is targeting Chinese-speaking countries within the APAC region. An additional phishing site was used that purported to be a page for a Chinese SMS provider. The user then downloads the Setup.zip file from the phishing page and executes it. The executable checks if it has administrator privileges and uses ‘runas’ to acquire them if it does not. It then downloads 4 additional files and loads one of the DLLs into memory using LoadLibrary and runs one of the executables. The malware utilizes a modified version of the Douyin (Chinese TikTok) executable for DLL side-loading. A legitimate DLL is then utilized to execute hidden code in a different process to retrieve and decrypt the ValleyRAT payload. The decrypted payload uses the Donut shellcode to execute the malware in memory.
Security Officer Comments:
The resurgence of ValleyRAT, particularly with its updated evasion techniques and focus on high-value targets in finance, accounting, and sales, similar to their past modus operandi, warrants heightened vigilance. The Silver Fox APT's suspected involvement, coupled with the use of Traditional Chinese phishing lures, suggests a targeted campaign likely aimed at the APAC region. The malware's reliance on DLL side-loading, laced legitimate executables (like Douyin), and Donut shellcode for in-memory execution demonstrates a clear intent to bypass traditional security measures. Organizations in potentially affected sectors should prioritize user education on phishing awareness, implement robust endpoint detection and response solutions capable of identifying and blocking these tactics, and proactively hunt for indicators of compromise related to ValleyRAT and Silver Fox APT activity. Further analysis of the malware's persistence mechanisms and full payload capabilities is critical to develop effective countermeasures. There have been multiple ValleyRAT campaigns documented since mid-2024, with a couple of analyses being published in 2025, indicating a surge in Silver Fox APT activity.
Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://hackread.com/valleyrat-malware-variant-fake-chrome-downloads/
https://www.morphisec.com/blog/rat-race-valleyrat-malware-china/