BlackBerry The Upcoming Cyberthreats to Infrastructures
January 20, 2025
Oracle January 2025 Patch Fixes 318 Critical Vulnerabilities
January 22, 2025
Cybersecurity is catching attention due to a string of cyber-attacks using the well-known malware ValleyRAT that have targeted Chinese-speaking areas such as Hong Kong & Taiwan.
In a technical study released last week, Intezer stated that the attacks use a multi-stage loader called PNGPlug to deliver the ValleyRAT payload.
The first step in the infection chain is a phishing page, which is intended to trick victims into downloading a malicious Microsoft Installer (MSI) package that looks like genuine software.
When the installer is run, it secretly extracts an encrypted file that contains the malware payload while simultaneously launching a harmless application to allay suspicions.
“The MSI package uses the Custom Action function of the Windows Installer to run malicious code, including a hidden malicious DLL that decrypts the archive (all.zip) with an encoded password ‘hello202411’ to retrieve the core malware components,” safety the investigator Nicole Fishbein said.
These consist of two payload files that pose as PNG graphics (“aut.png” and “view.png”), a rogue DLL (“libcef.dll”), and a genuine program (“down.exe”) that serves as a front for the malicious activity.
The primary goal of the DLL loader, PNGPlug, is to set up persistence by altering the Windows Registry and running ValleyRAT, respectively, by injecting “aut.png” and “view.png” into memory to establish the environment for running the main virus.
ValleyRAT is a remote access trojan (RAT) that has been found in the wild since 2023. It can provide attackers unapproved access to and control over compromised computers. The malware’s ability to take screenshots and delete Windows event logs has been included in more recent versions.
Because it uses a command-and-control (C&C) architecture called Winos 4.0, it is thought to be associated with a threat group called Silver Fox, which also has tactical overlaps with another activity cluster dubbed Void Arachne.
The effort is unique because it focuses on the Chinese-speaking community and uses lures connected to software to initiate the assault chain.
According to Fishbein, the hackers’ deft exploitation of trustworthy software as a vehicle for spreading malware is also remarkable. They can blend dangerous activity with seemingly innocuous apps with ease.
Because of its modular nature, the PNGPlug loader may be tailored for different campaigns, significantly raising risk
