Hackread reports that Windows users across China have been subjected to multi-stage intrusions with the ValleyRAT malware as part of a new campaign.
Attacks commence with the delivery of fraudulent business- or finance-related documents, which when executed open the default app for Word documents while establishing a mutex and altering registry entries to ensure persistence, a Fortinet FortiGuard Labs report showed. Threat actors then use a shellcode to enable stealthy malware loading into memory and the eventual retrieval of ValleyRAT, which not only facilitates activity tracking and arbitrary plugin distribution but also file execution, screenshot capturing, and data exfiltration, noted FortiGuard Labs researchers. ValleyRAT was also noted to enable registry manipulation and system function takeovers. Such findings follow previous studies associating ValleyRAT, which had been leveraged to compromise finance, sales, e-commerce, and management organizations, with suspected advanced persistent threat operation Silver Fox.