China-Linked ValleyRAT Malware Resurfaces with Advanced Data Theft Tactics

Cybersecurity researchers have uncovered an updated version of malware called ValleyRAT that’s being distributed as part of a new campaign.

“In the latest version, ValleyRAT introduced new commands, such as capturing screenshots, process filtering, forced shutdown, and clearing Windows event logs,” Zscaler ThreatLabz researchers Muhammed Irfan V A and Manisha Ramcharan Prajapati said.

ValleyRAT was previously documented by QiAnXin and Proofpoint in 2023 in connection with a phishing campaign targeting Chinese-speaking users and Japanese organizations that distributed various malware families such as Purple Fox and a variant of the Gh0st RAT trojan known as Sainbox RAT (aka FatalRAT).

The malware has been assessed to be the work of a China-based threat actor, boasting of capabilities to harvest sensitive information and drop additional payloads onto compromised hosts.

The starting point is a downloader that utilizes an HTTP File Server (HFS) to fetch a file named “NTUSER.DXM” that’s decoded to extract a DLL file responsible for downloading “client.exe” from the same server.

The decrypted DLL is also designed to detect and terminate anti-malware solutions from Qihoo 360 and WinRAR in an effort to evade analysis, after which the downloader proceeds to retrieve three more files – “WINWORD2013.EXE,” “wwlib.dll,” and “xig.ppt” – from the HFS server.

Next, the malware launches “WINWORD2013.EXE,” a legitimate executable associated with Microsoft Word, using it to sideload “wwlib.dll” that, in turn, establishes persistence on the system and loads “xig.ppt” into memory.

“From here, the decrypted ‘xig.ppt’ continues the execution process as a mechanism to decrypt and inject shellcode into svchost.exe,” the researchers said. “The malware creates svchost.exe as a suspended process, allocates memory within the process, and writes shellcode there.”

The shellcode, for its part, contains necessary configuration to contact a command-and-control (C2) server and download the ValleyRAT payload in the form of a DLL file.

“ValleyRAT utilizes a convoluted multi-stage process to infect a system with the final payload that performs the majority of the malicious operations,” the researchers said. “This staged approach combined with DLL side-loading are likely designed to better evade host-based security solutions such as EDRs and anti-virus applications.”

The development comes as the Fortinet FortiGuard Labs uncovered a phishing campaign that targets Spanish-speaking people with an updated version of a keylogger and information stealer called Agent Tesla.

The attack chain takes advantage of Microsoft Excel Add-Ins (XLA) file attachments that exploit known security flaws (CVE-2017-0199 and CVE-2017-11882) to trigger the execution of JavaScript code that loads a PowerShell script, which is engineered to launch a loader in order to retrieve Agent Tesla from a remote server.

“This variant collects credentials and email contacts from the victim’s device, the software from which it collects the data, and the basic information of the victim’s device,” security researcher Xiaopeng Zhang said. “Agent Tesla can also collect the victim’s email contacts if they use Thunderbird as their email client.”