Criminals have been detected targeting Chinese companies with an advanced Remote Access Trojan (RAT) capable of taking over infected Windows endpoints.
FortiGuard researchers call the threat ValleyRAT and say its operators are hunting for companies in e-commerce, finance, sales and management. Initial access is likely via phishing, where criminals share loaders disguised as Microsoft Office files.
The loaders modify registry entries to establish persistence and communication with the C2 infrastructure, after which it allows its operators to deploy additional malware and make changes to the target endpoint. “This malware involves several components loaded at different stages and primarily uses shellcode to execute them directly in memory, which significantly reduces its file trail on the system,” FortiGuard said.
Silver fox attacking
“Once the malware gains a foothold on the system, it supports commands capable of monitoring the victim's activities and delivering arbitrary plugins to further the threat actors' intentions,” the researchers noted.
In other words, criminals can use different tools, depending on what they want from the victim.
The group behind the campaign is reportedly called “Silver Fox” and is a threat actor that has previously been observed targeting Chinese organizations.
In spring 2023, Chinese tech giant Weibu Online reported tracking this group using SEO poisoning to get their phishing sites to rank highly on Chinese search engines. With the help of these sites, Silver Fox gained access to Chinese companies in the financial, securities, and education sectors.
While the location and affiliation of Silver Fox remains a mystery, some researchers believe the group is also of Chinese origin.
The best way to defend against Silver Fox and similar threats is to always keep antivirus and endpoint protection systems up to date and educate employees about the dangers of phishing and social engineering.