Organizations in China, Taiwan, and Hong Kong have been targeted by attacks spreading the ValleyRAT malware through fake software installers, according to The Hacker News.
Threat actors leveraged a phishing webpage luring targets into downloading a legitimate software-spoofing Microsoft Installer package that conceals its malicious nature by launching the app while executing a malicious DLL to deploy the multi-stage PNGPlug loader, a report from Intezer showed. PNGPlug then facilitates the execution of the ValleyRAT trojan, which has been associated with the Silver Fox threat operation and has recently been reported to have gained screenshot capturing and Windows event log removal capabilities. Such an intrusion was regarded by Intezer researcher Nicole Fishbein to be novel owing to its targeting and advanced exploitation of software for malware distribution. "The adaptability of the PNGPlug loader further elevates the threat, as its modular design allows it to be tailored for multiple campaigns," said Fishbein.
