Criminals have been spotted attacking Chinese companies with an advanced Remote Access Trojan (RAT), which can take over infected Windows endpoints.
FortiGuard researchers are calling the threat ValleyRAT and claim that its operators are targeting e-commerce, finance, sales and management companies. Initial access is likely gained via phishing, where criminals share loaders disguised as Microsoft Office files.
The loaders modify registry entries to establish persistence and communication with the C2 infrastructure, which then allows its operators to deploy additional malware and make changes to the target endpoint. “This malware includes several components that are loaded in different stages and primarily uses shellcode to execute directly in memory, significantly reducing file tracking in the system,” FortiGuard said.
Silver fox attacks
“Once the malware gains a foothold in the system, it supports commands that can monitor the victim’s activities and deliver arbitrary plugins to further the malicious actors’ intentions,” the researchers noted.
In other words, criminals can use different means depending on what they want from the victim.
The group behind the campaign is reportedly called “Silver Fox” and is a threat actor that has previously been observed attacking Chinese organizations.
In the spring of 2023, Chinese tech giant Weibu Online reported that they were tracking this group, which used SEO poisoning to rank their phishing sites high in Chinese search engines. Using these sites, Silver Fox gained access to Chinese companies in the financial, securities, and education sectors.
Although the location and affiliation of Silver Fox remain a mystery, some researchers believe the group is also of Chinese origin.
The best way to defend yourself against Silver Fox and similar threats is to always keep antivirus and endpoint security systems up to date and educate your employees about the dangers of phishing and social engineering.