The malicious software then starts "WINWORD2013.EXE," a genuine Microsoft Word program, and uses it to sideload "wwlib.dll," which creates system persistence and loads "xig.ppt" into memory. “Xig.ppt,” which has been decrypted, now proceeds with the execution process, serving as a means to decode and introduce shellcode into svchost.exe. The malware starts svchost.exe as a suspended process, loads memory into it, and inserts shellcode.

On the other hand, the shellcode has the setup required to make contact with a command-and-control (C2) server and download the ValleyRAT payload, which is a DLL file. The researchers noted that ValleyRAT employs a complex, multi-phase procedure to compromise a system, with the ultimate payload handling the majority of the malevolent actions. This phased strategy and DLL side-loading are probably intended to make it easier to get beyond host-based security programs like antivirus software and EDRs.

This development coincides with the discovery of a phishing campaign that uses an upgraded version of the keylogger and information stealer Agent Tesla to target Spanish-speaking individuals. The attack chain leverages Microsoft Excel Add-Ins (XLA) file attachments to launch a PowerShell script that loads a JavaScript code intended to launch a loader to retrieve Agent Tesla from a remote server. This code exploits known security flaws (CVE-2017-0199 and CVE-2017-11882).

This version gathers email addresses and credentials from the victim's device, along with the program that gathers the data and the device's fundamentals. If the victim uses Thunderbird as their email program, Agent Tesla can also gather their email contacts.

Impact

• Cyber Espionage
• Sensitive Data Theft
• Unauthorized Access

Indicators of Compromise

IP

• 101.33.117.200
• 43.129.233.146
• 43.132.212.111
• 43.129.233.99
• 119.28.32.143
• 43.132.235.4

MD5

• 984878f582231a15cc907aa92903b7ab
• 56384012e4e46f16b883efe4dd53fcb0
• 8c0cde825ee2d3c8b60cd2c21d174d4c
• 85f1c63c40918eb300420152eaf78e2c
• 0b63f0b83f78dff04ae26fe6b1da3b29
• 81ab4d6b9a07e354b52a18690f98b8aa
• b79c69bb5d309b07e10a316ee9c2223e
• ddb3c71de77a18421f6e86bc9fec6697
• eb953e5f2a3eb68756f779b3fa4d5c4e
• 8995fbb4679ddd1516eacb3e453cb1ba
• 9aec2351a3966a9f854513a7b7aa5a13

SHA-256

• 470b18288f1fce4c024be7f7f01d66b062fbe41ff53d7fe50eef9d44ff79ad4b
• 1cf712b65cb67a06b0376921ffe2a697fc34284140eb6c79738daee3367dfec8
• 41d7e67176eb1c406fb8c545e4d14fa694a63bf38aa7423d61d8cd48999e40ce
• 3c9fe665d6170d6791182b565acead30e6c658962dd70af03f29826d4c35081e
• 24daf0b69dcc17c24bbc858d166cc85270bf82ab57bc159e88f193c7dc0b1501
• 4215b084afa323f090c209518501d2ae0e9fa27cfc7cfe791a668e8802c6be61
• 5010b0a72cf94c29d94e119767e2920ca5589055c89f4852273dc50420eb15e8
• 0d3dd8eb56184193ac883eb235746bb53e18fa2f8a735afad8eb9b04fe006678
• 06fc07710e9932a3ca4072adbe5bdea1b59336a888a7e2bdf001bc1f8955e8de
• 773a1cd04612e4e7346b200b46990d9ecc07aa9f917c0b0d7cc1975241d029ed
• f5ebe440931d1d003a51133ad1f727daf2410ba50d9f51818938c269bb7fe806

SHA-1

• d9ae9b2fa642658dc691442e197be96dc0dcd4c1
• 22cd0f235d5744a0585bebc9ebad2221e61ad5f8
• f3f6a4617434ca8ce876ae366d731c336109e83f
• beb906af13918b4ce21b02aa758da180e7273945
• e69e4abd0d73a93ce4e75105a04c8b2a0f0541cd
• 63d1d132dc05dd37e4f94dc8e22f3d0c3e700be0
• d8477bcd00e5ec0eaec26f640b792a48c420b222
• 4882903d0ce80b7667fec1839c05edf49f7fb4d9
• f95f196eb050fd5e119cd3c0b28a26a48dae4677
• 857fa64483f911aaf2ed6238dec1b46d7017a1eb
• e11065431381023d16190b390504390dfeea16a9

URL

• https://2024aasaf.oss-cn-hongkong.aliyuncs.com/TARE961424.exe
• https://2024fapiao.oss-cn-hongkong.aliyuncs.com/82407836%E5%87%BD%E6%95%B0.exe
• https://scpgjhs.com/TARE965624.exe
• http://tzsxr.com/customer.exe
• http://kfurl.cn/kvukj
• http://fpwenj.zhangyaodong5.com/TARE985624.exe

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.