Cybersecurity researchers are raising alarms over a series of sophisticated cyberattacks targeting Chinese-speaking regions, including Hong Kong, Taiwan, and Mainland China. These attacks utilize a known malware strain called ValleyRAT, deployed through a multi-stage loader dubbed PNGPlug, according to a technical report published by Intezer last week.
Infection Chain Overview
The attack begins with a phishing page designed to trick victims into downloading a malicious Microsoft Installer (MSI) package disguised as legitimate software. Once executed, the installer not only deploys a benign application to avoid suspicion but also stealthily extracts an encrypted archive containing the malware payload.
“The MSI package uses the Windows Installer's CustomAction feature, enabling it to execute malicious code,” explained Nicole Fishbein, a security researcher at Intezer. “This includes running an embedded malicious DLL that decrypts the archive (all.zip) using a hardcoded password, 'hello202411,' to extract the core malware components.”
Components of the Malware
Key elements extracted from the MSI package include:
- A Rogue DLL: “libcef.dll,” which acts as part of the loader mechanism.
- A Legitimate Application: “down.exe,” which serves as a cover for malicious activities.
- Two Payload Files: Masquerading as PNG images, “aut.png” and “view.png” are crucial to the malware’s operation.
The PNGPlug loader prepares the environment by injecting “aut.png” and “view.png” into memory, setting up persistence through Windows Registry modifications, and ultimately executing ValleyRAT.
ValleyRAT Capabilities
ValleyRAT, active since 2023, is a remote access trojan (RAT) designed to provide attackers with unauthorized access and control over infected systems. Recent enhancements to the malware have added capabilities such as:
- Capturing screenshots.
- Clearing Windows event logs to evade detection.
Attribution to Threat Actors
The campaign is attributed to a threat group known as Silver Fox, which shares operational overlaps with another cluster called Void Arachne. Both groups are linked through their use of a command-and-control (C&C) framework named Winos 4.0.
Notable Attack Characteristics
Several factors make this campaign particularly concerning:
- Target Demographic: The attacks focus specifically on Chinese-speaking regions, leveraging software-related lures to activate the infection chain.
- Sophisticated Delivery Mechanisms: The attackers’ use of legitimate software as a delivery vehicle for malware ensures seamless blending of malicious and benign activities.
- Adaptability of PNGPlug: The modular design of the PNGPlug loader allows it to be customized for different campaigns, increasing its threat level.
Expert Insights
“Equally striking is the attackers' sophisticated use of legitimate software as a delivery mechanism for malware, seamlessly blending malicious activities with seemingly benign applications,” Fishbein noted. “The adaptability of the PNGPlug loader further elevates the threat, as its modular design allows it to be tailored for multiple campaigns.”
Conclusion
This ongoing campaign highlights the increasing sophistication of cyberattacks targeting specific demographics. Organizations and individuals in Chinese-speaking regions are urged to remain vigilant against phishing attempts and ensure robust security measures to mitigate the risk of malware infections. The ValleyRAT campaign serves as a stark reminder of the evolving tactics employed by threat actors and the critical need for proactive cybersecurity defenses.
