• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

FBI seized multiple piracy sites distributing pirated video games

 | 

An attacker using a $500 radio setup could potentially trigger train brake failures or derailments from a distance

 | 

Interlock ransomware group deploys new PHP-based RAT via FileFix

 | 

Global Louis Vuitton data breach impacts UK, South Korea, and Turkey

 | 

Experts uncover critical flaws in Kigen eSIM technology affecting billions

 | 

Spain awarded €12.3 million in contracts to Huawei

 | 

Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb

 | 

Wing FTP Server flaw actively exploited shortly after technical details were made public

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 53

 | 

Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

McDonald’s job app exposes data of 64 Million applicants

 | 

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Malware
  • ValleyRAT malware is targeting Chinese-speaking users

ValleyRAT malware is targeting Chinese-speaking users

Pierluigi Paganini August 17, 2024

FortiGuard Labs researchers uncovered an ongoing ValleyRAT malware campaign that is targeting Chinese-speaking users.

ValleyRAT is a multi-stage malware that supports multiple techniques to monitor and control compromised devices. The malicious code is also used to deploy arbitrary plugins on the infected systems. A noteworthy characteristic of ValleyRAT malware is the heavy usage of shellcode to execute its many components directly in memory.

FortiGuard Labs researchers warn of an ongoing ValleyRAT malware campaign that is targeting Chinese-speaking users.

ValleyRAT

In the first stage of the attack chain, the malware disguises itself using icons of legitimate applications like Microsoft Office and uses filenames related to financial documents to lure users, such as “Industrial and Commercial Annual Report Master.exe” and “View Details.exe.” It also creates an empty file named “dome.doc” and attempts to open it with the default application for Microsoft Word documents to make the deception more convincing. If no default application is set, it displays an error message.

When executed, the malware creates a mutex named “TEST” to ensure only one instance runs on the system. It then deletes specific registry entries potentially left by previous installations of the malware and stores the IP address and port of its C2 server in the registry entry HKEY_CURRENT_USER\Software\Console\IpDateInfo.

The malicious code checks if it’s running in a virtual machine by enumerating all services and looking for VM-related strings like “VMWARE Tools,” “VMWare 共享,” “Virtual Machine,” and “VirtualBox Guest” in service display names. If it detects any of these, it displays a blank error message box and halts its execution.

“Before the shellcode is executed to load the next stage, this malware uses a known technique called sleep obfuscation to evade memory scanners. This involves adding a callback functionality to Sleep or similar APIs that modify the permissions of the allocated memory where the malicious code resides to values not commonly deemed suspicious by scanners.” reads the analysis published by Fortinet. “Furthermore, during this process, the malicious shellcode is encoded with a simple XOR operation to evade pattern-based signatures.”

ValleyRAT executes its components directly in memory using shellcode blocks, similar to a shellcode found on GitHub and associated with older malware campaigns detected as W64/Agent.CCF!tr by Fortinet. Once initialized, the malware decrypts shellcode using AES-256 with a key derived from a hardcoded value and further processes it with XOR to reveal the final shellcode. It then obfuscates its execution with a sleep routine and executes the shellcode through the EnumSystemLocalesA API. The shellcode employs the BKDR hashing algorithm to obfuscate API names and searches for target APIs by traversing the Process Environment Block (PEB). It then reflectively loads an embedded DLL, adjusting its base and resolving imports before executing its entry point, typically for a beaconing module.

The beaconing module contacts a C2 server to download two components, respectively named RuntimeBroker and RemoteShellcode, set persistence on the host, and gain administrator privileges by exploiting a legitimate binary named fodhelper.exe and achieve a UAC bypass. The malware also abuses the CMSTPLUA COM interface for privilege escalation.

RuntimeBroker is used to retrieve a component called Loader from the Command and Control (C2) server. The Loader operates similarly to the first-stage loader, executing the beaconing module to continue the infection. It also includes checks to detect if it’s running in a sandbox and scans the Windows Registry for keys related to Chinese apps like Tencent WeChat and Alibaba DingTalk, suggesting that the malware specifically targets Chinese systems.

RemoteShellcode fetches the ValleyRAT downloader from the C2 server, then uses UDP or TCP sockets to connect to the server and receive the final payload.

The malware attempts to evade detection by adding its root drive to the Windows Defender exclusion list using a PowerShell command. It uses pipes to execute commands in a new PowerShell process, likely to bypass security tools that inspect command arguments. By default, it excludes the “C:\” drive, but will exclude other drives if the malware runs from them.

The malware attempts to kill antivirus (AV) processes, specifically those from Chinese AV products, by terminating processes with certain executable names. If any of these processes remain active, the malware injects shellcode with an embedded DLL into the lsass process, which grants it higher privileges, then also attempts to terminate AV processes, and modifies registry settings to disable or weaken the AV products’ autostart capabilities.

Experts attribute the ValleyRAT to an APT group called “Silver Fox”. The capabilities implemented by the malware are focused on graphically monitoring the user’s activities and delivering other plugins and possibly other malware to the victim system.

ValleyRAT can remotely control compromised systems, load additional plugins, and execute files on the victim system.

“This malware involves several components loaded in different stages and mainly uses shellcode to execute them directly in memory, significantly reducing its file trace in the system. Once the malware gains a foothold in the system, it supports commands capable of monitoring the victim’s activities and delivering arbitrary plugins to further the threat actors’ intentions.” concludes the analysis.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)


facebook linkedin twitter

Hacking hacking news information security news IT Information Security malware Pierluigi Paganini Security Affairs Security News ValleyRAT

you might also like

Pierluigi Paganini July 15, 2025
FBI seized multiple piracy sites distributing pirated video games
Read more
Pierluigi Paganini July 15, 2025
An attacker using a $500 radio setup could potentially trigger train brake failures or derailments from a distance
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    FBI seized multiple piracy sites distributing pirated video games

    Cyber Crime / July 15, 2025

    An attacker using a $500 radio setup could potentially trigger train brake failures or derailments from a distance

    Hacking / July 15, 2025

    Interlock ransomware group deploys new PHP-based RAT via FileFix

    Cyber Crime / July 14, 2025

    Global Louis Vuitton data breach impacts UK, South Korea, and Turkey

    Data Breach / July 14, 2025

    Experts uncover critical flaws in Kigen eSIM technology affecting billions

    Security / July 14, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT