Valleyrat

Malware updated a year ago (2024-11-29T14:23:34.295Z)

Download STIX

Preview STIX

ValleyRAT is a multi-stage malware that leverages advanced evasion techniques to monitor and control compromised devices. It utilizes heavy usage of shellcode to execute its many components directly in memory, resembling a shellcode found on GitHub and associated with older malware campaigns detected as W64/Agent.CCF!tr by Fortinet. Upon execution of the shellcode, the ValleyRAT DLL is reflectively loaded and executed in the system, followed by sending 登录模块.dll_bin (translated as Login module.dll_bin) to request the ValleyRAT malware. The primary purpose of this component is to request the downloader of the ValleyRAT payload. RemoteShellcode fetches the ValleyRAT downloader from the C2 server, then uses UDP or TCP sockets to connect to the server and receive the final payload. FortiGuard Labs researchers have uncovered an ongoing ValleyRAT malware campaign that is primarily targeting Chinese-speaking users. The malware has the ability to remotely control compromised systems, load additional plugins, and execute files on the victim's system. Its capabilities are focused on graphically monitoring the user’s activities and delivering other plugins and possibly other malware to the victim system. This strategic approach indicates a significant threat to enterprise security due to its targeted attacks and advanced evasion techniques. Experts attribute the ValleyRAT malware to an Advanced Persistent Threat (APT) group known as “Silver Fox”. The group is likely to continue using a mix of both older malware and the new ValleyRAT malware, implying an evolving threat landscape. The capabilities implemented by the malware, along with its potential links to APT groups like Silver Fox, underscore the need for robust cybersecurity measures to mitigate such sophisticated threats.

Description last updated: 2024-10-17T11:56:54.050Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Payload

Apt

Trojan

Phishing

Chinese

Fortiguard

Rat

Downloader

Shellcode

Windows

Tool

Ddos

Loader

Backdoor

Cybercrime

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Sainbox Malware is associated with Valleyrat. Sainbox, also known as FatalRAT, is a variant of the Gh0st RAT trojan malware that has been increasingly deployed in cybercrime activities, particularly those associated with suspected Chinese cybercrime operations. Proofpoint researchers have observed over 30 separate campaigns leveraging this malw	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The threatActor Silver Fox is associated with Valleyrat.	Unspecified	2

Source Document References

Information about the Valleyrat Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	2 days ago	15th December – Threat Intelligence Report - Check Point Research
Checkpoint	7 days ago	Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits - Check Point Research
Securityaffairs	2 months ago	Winos 4.0 hackers expand to Japan and Malaysia with new malware
InfoSecurity-magazine	4 months ago	Silver Fox Exploits Signed Drivers to Deploy ValleyRAT Backdoor
Checkpoint	4 months ago	1st September – Threat Intelligence Report - Check Point Research
Checkpoint	4 months ago	Chasing the Silver Fox: Cat & Mouse in Kernel Shadows - Check Point Research
Recorded Future	7 months ago	Rate My Rizz: Elevating Cyber Resilience Beyond Compliance
InfoSecurity-magazine	10 months ago	Chinese-Backed Silver Fox Plants Backdoors in Healthcare Networks
Unit42	10 months ago	CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia
Securityaffairs	a year ago	Security Affairs newsletter Round 485 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	a year ago	ValleyRAT malware is targeting Chinese-speaking users
InfoSecurity-magazine	a year ago	Advanced ValleyRAT Campaign Hits Windows Users in China
Fortinet	a year ago	A Deep Dive into a New ValleyRAT Campaign Targeting Chinese Speakers \| FortiGuard Labs
CERT-EU	2 years ago	Sophisticated Phishing Campaign Targeting Chinese Users with ValleyRAT and Gh0st RAT
CERT-EU	2 years ago	Cyber Security Week in Review: September 22, 2023
CERT-EU	2 years ago	Malware-spreading phishing attacks target Chinese users
BankInfoSecurity	2 years ago	Financially Motivated Hacks by Chinese-Speaking Actors Surge
CERT-EU	2 years ago	Report: Increase in Chinese-Language Malware Could 'Challenge' Russian Dominance of Cybercrime
CERT-EU	2 years ago	New Spike in Malware from Chinese Cybercriminals Floods the Threat Landscape – Proofpoint Research – Global Security Mag Online
CERT-EU	2 years ago	A Wave of Chinese Cyberthreat Campaigns Use Old and New Malware