Cybersecurity researchers are calling consideration to a sequence of cyber assaults which have focused Chinese language-speaking areas like Hong Kong, Taiwan, and Mainland China with a recognized malware known as ValleyRAT.
The assaults leverage a multi-stage loader dubbed PNGPlug to ship the ValleyRAT payload, Intezer stated in a technical report printed final week.
The an infection chain commences with a phishing web page that is designed to encourage victims to obtain a malicious Microsoft Installer (MSI) bundle disguised as professional software program.
As soon as executed, the installer deploys a benign software to keep away from arousing suspicion, whereas additionally stealthily extracting an encrypted archive containing the malware payload.
“The MSI bundle makes use of the Home windows Installer’s CustomAction function, enabling it to execute malicious code, together with working an embedded malicious DLL that decrypts the archive (all.zip) utilizing a hardcoded password ‘hello202411’ to extract the core malware elements,” safety researcher Nicole Fishbein stated.
These embrace a rogue DLL (“libcef.dll”), a professional software (“down.exe”) that is used as a canopy to hide the malicious actions, and two payload information masquerading as PNG photographs (“aut.png” and “view.png”).
The primary goal of the DLL loader, PNGPlug, is to arrange the setting for executing the primary malware by injecting “aut.png” and “view.png” into reminiscence with a view to arrange persistence by making Home windows Registry adjustments and executing ValleyRAT, respectively.
ValleyRAT, detected within the wild since 2023, is a distant entry trojan (RAT) that is able to offering attackers with unauthorized entry and management over contaminated machines. Current variations of the malware have included options to seize screenshots and clear Home windows occasion logs.
It is assessed to be linked to a risk group known as Silver Fox, which additionally shares tactical overlaps with one other exercise cluster named Void Arachne owing to the usage of a command-and-control (C&C) framework known as Winos 4.0.
The marketing campaign is exclusive for its give attention to the Chinese language-speaking demographic and the usage of software-related lures to activate the assault chain.
“Equally putting is the attackers’ subtle use of professional software program as a supply mechanism for malware, seamlessly mixing malicious actions with seemingly benign functions,” Fishbein stated.
“The adaptability of the PNGPlug loader additional elevates the risk, as its modular design permits it to be tailor-made for a number of campaigns.”
