
A sophisticated cyber attack campaign targeting Chinese-speaking regions, including Hong Kong, Taiwan, and Mainland China, has been uncovered by cybersecurity researchers. The attacks utilize ValleyRAT malware, delivered through a multi-stage loader called PNGPlug.
The attack begins with phishing pages that trick users into downloading malicious Microsoft Installer (MSI) packages disguised as legitimate software. Upon execution, the installer deploys a legitimate application as cover while secretly extracting an encrypted archive containing the malware payload using a hardcoded password ‘hello202411’.
The infection chain involves multiple components:
– A malicious DLL (“libcef.dll”)
– A legitimate cover application (“down.exe”)
– Two payload files disguised as PNG images (“aut.png” and “view.png”)
PNGPlug, the DLL loader, prepares the environment by:
– Injecting payload files into memory
– Establishing persistence through Windows Registry modifications
– Executing ValleyRAT
ValleyRAT, first detected in 2023, is a remote access trojan that provides unauthorized system access and control. Recent versions include screenshot capture capabilities and event log clearing features. The malware is attributed to the Silver Fox threat group, which shares connections with Void Arachne through their use of the Winos 4.0 command-and-control framework.
The campaign stands out for its targeted focus on Chinese-speaking users and sophisticated use of legitimate software as a delivery mechanism, demonstrating the attackers’ advanced capabilities in blending malicious activities with seemingly legitimate applications.