Summary
Key Points:
- A fake Huorong Security site has been used to distribute ValleyRAT, a sophisticated Remote Access Trojan (RAT) attributed to the Silver Fox APT group, targeting users seeking antivirus solutions.
- The attack leverages a typosquatted domain and a trojanized NSIS installer, resulting in unauthorized access and control over infected systems, with capabilities such as keylogging and process injection.
- Recommended actions include verifying download sources, monitoring Windows Defender exclusions, auditing for persistence artifacts, blocking outbound connections to the C2 IP (161.248.87.250), and alerting on suspicious process executions.
Technical Details: The malware employs DLL sideloading techniques to execute malicious payloads while evading detection. It also uses PowerShell to modify Windows Defender settings for persistence and stealth.
MITRE ATT&CK Techniques:
- T1189 - Drive-by Compromise (Initial Access)
- T1059.001 - PowerShell (Execution)
- T1053.005 - Scheduled Task (Persistence)
- T1562.001 - Impair Defenses: Disable or Modify Tools (Defense Evasion)
- T1574.002 - DLL Side-Loading (Defense Evasion)
- T1027 - Obfuscated Files or Information (Defense Evasion)
- T1218.011 - Rundll32 (Defense Evasion)
- T1555 - Credentials from Password Stores (Credential Access)
- T1082 - System Information Discovery (Discovery)
- T1057 - Process Discovery (Discovery)
- T1056.001 - Keylogging (Collection)
- T1071 - Application Layer Protocol (Command and Control)
- T1070.004 - Indicator Removal: File Deletion (Defense Evasion)
IOCs Mentioned:
- Fake domains: huoronga[.]com, huorongcn[.]com
- C2 IP: 161.248.87[.]250
- File hashes: 72889737c11c36e3ecd77bf6023ec6f2e31aecbc441d0bdf312c5762d073b1f4, db8cbf938da72be4d1a774836b2b5eb107c6b54defe0ae631ddc43de0bda8a7e, etc.
- Scheduled task: Batteries at C:\Windows\Tasks\Batteries.job
- Registry key: HKCU\SOFTWARE\IpDates_info
This summary provides actionable intelligence for SOC teams to mitigate risks associated with the ValleyRAT campaign effectively.
Join the discussion — sign up to comment, upvote, and save articles.