The Bogus website advertises Google Chrome is used to distribute malicious installers for remote access trojans called Valleyrat.
The malware first detected in 2023 is attributed to threat actors tracked as Silver Fox and is primarily targeted at Chinese-speaking regions such as Hong Kong, Taiwan and mainland China.
“The actor is increasingly targeting key roles within the organization, particularly in the finance, accounting and sales sectors. He has a strategic focus on high value locations with access to sensitive data and systems. We are emphasizing that.” Week.
Early attack chains have been observed to provide valley rats along with other malware families such as purple foxes and GH0st rats, the latter being widely used in various Chinese hacking groups.
Like last month, the legitimate software counterfeit installer served as a distribution mechanism for Trojans using a DLL loader named PngPlug.
It is worth noting that a drive-by download scheme targeting Chinese-speaking Windows users was previously used to deploy GH0st rats using the malicious installer package of the Chrome web browser.
In a similar way, the latest attack sequence related to ValleyRat involves using fake Google Chrome websites to trick the target into downloading a ZIP archive containing the executable file (“setup.exe”) ).
The binary checks if there is administrator privileges at runtime and downloads four additional payloads containing legal executables related to Douyin (“Douyin.exe”), the Chinese version of Tiktok. Masu. “tier0.dll”), launch ValleyRat malware.
It also retrieves another dll file (“sscronet.dll”). This is responsible for terminating any running processes that exist in the exclusion list.
Edited in Chinese and written in C++, Valleyrat is a Trojan horse designed to monitor screen content, log keystrokes and establish host persistence. You can also start communicating with a remote server, enumerating the processes and waiting for further instructions to allow you to download and run any DLLs, binaries, etc.
“Because of payload injection, the attacker abused a legitimately signed executable that was vulnerable to DLL search order hijacking,” Uzan said.
The development was due to the fact that Sophos avoided detection using Scalable Vector Graphics (SVG) attachments and shared details of a phishing attack that provides car-based keystroke loger malware such as Nymeria and Direct users to the qualification harvest page. is.
Source link
