Criminals have been spotted targeting Chinese enterprises with an advanced Remote Access Trojan (RAT), capable of taking over infected Windows endpoints.
Researchers at FortiGuard call the threat ValleyRAT, and claim its operators are on the hunt for ecommerce, finance, sales, and management enterprises. Initial access is most likely done through phishing, where crooks share loaders disguised as Microsoft Office files.
The loaders alter registry entries to establish persistence and communication with the C2 infrastructure, after which it allows its operators to deploy additional malware, and make changes to the target endpoint. “This malware involves several components loaded in different stages and mainly uses shellcode to execute them directly in memory, significantly reducing its file trace in the system,” FortiGuard said.
Silver Fox attacking
“Once the malware gains a foothold in the system, it supports commands capable of monitoring the victim’s activities and delivering arbitrary plugins to further the threat actors’ intentions,” the researchers noted.
In other words, crooks can deploy different tools, depending on what they want from the victim.
Allegedly, the group behind the campaign is called “Silver Fox”, and is a threat actor previously observed targeting Chinese organizations.
In spring 2023, Chinese tech giant Weibu Online reported tracking this group which used SEO poisoning to make its phishing sites rank high on Chinese search engines. With the help of these sites, Silver Fox gained access to Chinese companies in finance, securities, and education industries.
While the location, and affiliation, of Silver Fox remains a mystery, some researchers believe the group, too, is of Chinese origin.
The best way to defend against Silver Fox and similar threats is to always keep antivirus and endpoint protection systems up to date, and to educate employees on the dangers of phishing and social engineering.
