ValleyRAT Malware Exploits Privilege Escalation and Evasion in Targeted Attacks

Threat Group: Silver Fox (suspected)
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: Privilege abuse through COM interfaces (CMSTPLUA, fodhelper.exe), Scheduled Task creation, Registry Run Keys manipulation
Malware Used: ValleyRAT
Threat Score: High (8.5/10) — Due to advanced evasion, multi-stage infection, and targeted campaign scope within China
Last Threat Observation: October 25, 2024, by Fortinet, AlienVault, Zscaler

Overview

The ValleyRAT Remote Access Trojan (RAT) is a sophisticated multi-stage malware associated with the Silver Fox threat group, mainly targeting Chinese-speaking users and entities. It utilizes numerous advanced techniques to establish control, evade detection, and maintain persistence on infected Windows systems. ValleyRAT is notably evasive, leveraging process injection, registry modifications, and scheduled tasks to avoid traditional defenses. AlienVault's recent analysis highlights ValleyRAT’s use of various MITRE ATT&CK techniques, including bypassing User Account Control (UAC), command-and-control communications, and persistence methods such as scheduled tasks and registry key manipulation​

Key Details

• Delivery Method: Phishing emails with links to compressed executables, often masquerading as business documents.
• Primary Targets: Chinese-speaking individuals, primarily within e-commerce, finance, and administrative sectors.
• Capabilities: Remote command execution, plugin deployment, data exfiltration, persistence through system modifications, registry manipulation, and process injection.
• Obfuscation Techniques: In-memory execution via shellcode, sandbox evasion, and anti-analysis tactics such as disabling antivirus software.

Attack Vectors

ValleyRAT initiates infection with phishing emails containing URLs that link to compressed executables disguised as legitimate business or finance documents. Once executed, the malware goes through a multi-stage process involving:

1. Initial Loader Execution: The loader, disguised as a Microsoft Office file, triggers the infection by loading shellcode directly into system memory. This reduces the malware’s file presence and visibility to detection tools.
2. Command-and-Control (C2) Communication: Upon establishing a connection to the C2 server, the malware downloads additional components like RuntimeBroker and RemoteShellcode. These facilitate persistence, privilege escalation, and data exfiltration while maintaining a low detection profile.
3. Privilege Escalation & UAC Bypass: The malware abuses known Windows COM interfaces (CMSTPLUA and fodhelper.exe) to escalate privileges without alerting User Account Control (UAC). It also creates scheduled tasks to execute ValleyRAT automatically on startup.
4. Process Injection: ValleyRAT injects itself into legitimate processes, such as svchost.exe and colorcpl.exe, further masking its activities within standard Windows operations.

Known Indicators of Compromise (IoCs)

IP Addresses:

• hxxp://154[.]39[.]255[.]141
• hxxp://158[.]74[.]222[.]152

File Hashes

SHA256:

• a67e68ae707f413ef9e64fa53d661c3f60c7bf466af1b547da818d9ac01e10a0
• d208b80a6608c72c3c590f86d93b074533c0c4ef8a46b6d36ed52cc2b4c179d5
• 14bf52de60e60a526141ffe61ef5afc2a3bc7d60d4086e644ec80e67513d2684

MD5:

• 9da747c6ceb04d35517c628b52078780
• 4ab0805b92733544ab0c97faace9688c
• 9d577beae87482591a38ef6fc311798e

SHA1:

• 1c63cede746e00bb017c0a0e1e5ae3763f9b3d3d
• 43daba331bb227dc7e7bbef6534bb3ae54ea7f5f
• b4780046f4b7bf30400769154ecf91b217b8300b

MITRE ATT&CK Techniques

ValleyRAT leverages the following MITRE ATT&CK tactics and techniques:

• T1548.002 - Bypass User Account Control (UAC) using fodhelper.exe and CMSTPLUA.
• T1016.001 - Internet Connection Discovery: Probes network connectivity for C2 operations.
• T1071 - Application Layer Protocol: Uses application layer protocols for C2 communication.
• T1053 - Scheduled Task/Job: Creates tasks for persistent execution.
• T1055 - Process Injection: Injects payloads into legitimate Windows processes.
• T1497 - Virtualization/Sandbox Evasion: Detects virtualized environments and terminates in sandboxed conditions.
• T1547.001 - Registry Run Keys / Startup Folder: Alters registry for persistence.
• T1562.001 - Disable or Modify Tools: Attempts to disable or avoid antivirus software.
• T1012 - Query Registry: Accesses registry data to detect security software and maintain persistence.

Mitigation and Prevention

1. User Awareness Training: Train staff to recognize phishing links, especially those with compressed file attachments.
2. Endpoint Detection & Response (EDR): Enable advanced EDR systems to detect and alert on memory injections, unauthorized process launches, and registry changes.
3. Privileges and Access Management: Limit the use of administrative privileges to minimize risks associated with UAC bypasses.
4. Scheduled Task Auditing: Regularly review scheduled tasks for unauthorized entries created by malware.
5. Log Monitoring: Monitor security and application logs for signs of unusual process activity, particularly involving svchost.exe, fodhelper.exe, and CMSTPLUA.
6. Anti-Malware Tools: Ensure anti-malware tools are configured to detect in-memory execution and process injection attempts​.

Conclusion

ValleyRAT exemplifies an adaptable and highly targeted cyber threat, prioritizing stealth and persistence in its attack chain. Its usage of Windows tools to escalate privileges and establish persistence indicates a sophisticated understanding of Windows security architecture. Security teams should employ robust monitoring, detection, and incident response mechanisms to counter this evolving threat.

Sources

• AlienVault, "ValleyRAT Insights: Tactics, Techniques, and Detection Methods,"
• Fortinet, "A Deep Dive into ValleyRAT Targeting Chinese Users,"
• Hackread, "ValleyRAT’s Multi-Stage Attack Against Chinese Windows Users,"
• TechRadar, "ValleyRAT Campaign Targets Chinese Enterprises,"
• ANY.RUN, "Detailed Analysis of ValleyRAT,"