Cybersecurity researchers are calling consideration to a collection of cyber assaults which have focused Chinese language-speaking areas like Hong Kong, Taiwan, and Mainland China with a recognized malware known as ValleyRAT.
The assaults leverage a multi-stage loader dubbed PNGPlug to ship the ValleyRAT payload, Intezer mentioned in a technical report printed final week.
The an infection chain commences with a phishing web page that is designed to encourage victims to obtain a malicious Microsoft Installer (MSI) package deal disguised as authentic software program.
As soon as executed, the installer deploys a benign software to keep away from arousing suspicion, whereas additionally stealthily extracting an encrypted archive containing the malware payload.
“The MSI package deal makes use of the Home windows Installer’s CustomAction characteristic, enabling it to execute malicious code, together with working an embedded malicious DLL that decrypts the archive (all.zip) utilizing a hardcoded password ‘hello202411’ to extract the core malware elements,” safety researcher Nicole Fishbein mentioned.
These embody a rogue DLL (“libcef.dll”), a authentic software (“down.exe”) that is used as a canopy to hide the malicious actions, and two payload information masquerading as PNG photos (“aut.png” and “view.png”).
The primary goal of the DLL loader, PNGPlug, is to organize the atmosphere for executing the primary malware by injecting “aut.png” and “view.png” into reminiscence so as to arrange persistence by making Home windows Registry modifications and executing ValleyRAT, respectively.
ValleyRAT, detected within the wild since 2023, is a distant entry trojan (RAT) that is able to offering attackers with unauthorized entry and management over contaminated machines. Latest variations of the malware have included options to seize screenshots and clear Home windows occasion logs.
It is assessed to be linked to a risk group known as Silver Fox, which additionally shares tactical overlaps with one other exercise cluster named Void Arachne owing to the usage of a command-and-control (C&C) framework known as Winos 4.0.
The marketing campaign is exclusive for its give attention to the Chinese language-speaking demographic and the usage of software-related lures to activate the assault chain.
“Equally placing is the attackers’ subtle use of authentic software program as a supply mechanism for malware, seamlessly mixing malicious actions with seemingly benign purposes,” Fishbein mentioned.
“The adaptability of the PNGPlug loader additional elevates the risk, as its modular design permits it to be tailor-made for a number of campaigns.”