Cybersecurity researchers have discovered an updated version of malware known as ValleyRAT that is part of a new campaign.
In the latest release, ValleyRAT has introduced new features such as capturing screenshots, process filtering, forced shutdown, and clearing Windows event logs, according to Zscaler ThreatLabz researchers Muhammed Irfan V A and Manisha Ramcharan Prajapati mentioned.
ValleyRAT was previously reported by QiAnXin and Proofpoint in 2023 in connection with a phishing campaign that targeted Chinese-speaking users and Japanese organizations. This campaign distributed various malware families like Purple Fox and a version of the Gh0st RAT trojan known as Sainbox RAT (also called FatalRAT).
This malware is believed to be the work of a threat actor based in China, with the ability to gather sensitive information and install additional payloads on compromised hosts.
The infection begins with a downloader that uses an HTTP File Server (HFS) to retrieve a file named “NTUSER.DXM,” which is decoded to extract a DLL file that downloads “client.exe” from the same server.
The decrypted DLL is also programmed to identify and stop anti-malware solutions from Qihoo 360 and WinRAR to avoid detection. After that, the downloader retrieves three more files – “WINWORD2013.EXE,” “wwlib.dll,” and “xig.ppt” – from the HFS server.
Subsequently, the malware executes “WINWORD2013.EXE,” a genuine executable linked to Microsoft Word, to load “wwlib.dll” and establish persistence on the system, before launching “xig.ppt” in memory.
“The decrypted ‘xig.ppt’ continues the execution process by decrypting and injecting shellcode into svchost.exe,” explained the researchers. “The malware creates svchost.exe as a suspended process, allocates memory within the process, and writes shellcode there.”
The shellcode includes necessary settings to communicate with a command-and-control (C2) server and download the ValleyRAT payload in the form of a DLL file.
“ValleyRAT employs a complex multi-stage method to infect a system with the final payload, which carries out most of the malicious activities,” the researchers noted. “This staged method, along with DLL side-loading, is likely intended to evade host-based security solutions like EDRs and anti-virus applications.”
Meanwhile, Fortinet FortiGuard Labs has found a phishing campaign targeting Spanish-speaking individuals with an updated version of a keylogger and information stealer called Agent Tesla.
The attack makes use of Microsoft Excel Add-Ins (XLA) attachments that exploit known vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to execute JavaScript code loading a PowerShell script, which triggers a loader to fetch Agent Tesla from a remote server.
“This variant gathers credentials and email contacts from the victim’s device, as well as basic information about the victim’s device and the software from which the data is collected,” stated security researcher Xiaopeng Zhang informed. “Agent Tesla can also collect email contacts if Thunderbird is used as the email client.”
