Valleyrat

ValleyRAT is a multi-stage malware that leverages advanced evasion techniques to monitor and control compromised devices. It utilizes heavy usage of shellcode to execute its many components directly in memory, resembling a shellcode found on GitHub and associated with older malware campaigns detected as W64/Agent.CCF!tr by Fortinet. Upon execution of the shellcode, the ValleyRAT DLL is reflectively loaded and executed in the system, followed by sending 登录模块.dll_bin (translated as Login module.dll_bin) to request the ValleyRAT malware. The primary purpose of this component is to request the downloader of the ValleyRAT payload. RemoteShellcode fetches the ValleyRAT downloader from the C2 server, then uses UDP or TCP sockets to connect to the server and receive the final payload. FortiGuard Labs researchers have uncovered an ongoing ValleyRAT malware campaign that is primarily targeting Chinese-speaking users. The malware has the ability to remotely control compromised systems, load additional plugins, and execute files on the victim's system. Its capabilities are focused on graphically monitoring the user’s activities and delivering other plugins and possibly other malware to the victim system. This strategic approach indicates a significant threat to enterprise security due to its targeted attacks and advanced evasion techniques. Experts attribute the ValleyRAT malware to an Advanced Persistent Threat (APT) group known as “Silver Fox”. The group is likely to continue using a mix of both older malware and the new ValleyRAT malware, implying an evolving threat landscape. The capabilities implemented by the malware, along with its potential links to APT groups like Silver Fox, underscore the need for robust cybersecurity measures to mitigate such sophisticated threats.