Multiple Mozilla Firefox Vulnerabilities
June 12, 2024Multiple Microsoft Products Vulnerabilities
June 12, 2024Multiple Mozilla Firefox Vulnerabilities
June 12, 2024Multiple Microsoft Products Vulnerabilities
June 12, 2024Severity
High
Analysis Summary
A new campaign involving the distribution of an updated version of the malware known as ValleyRAT has been discovered by cybersecurity researchers. ValleyRAT added new capabilities to its most recent version, including the ability to take screenshots, filter processes, force a shutdown, and delete Windows event logs.
In 2023, researchers first reported findings related to ValleyRAT, which was associated with a phishing campaign aimed at Chinese-speaking users and Japanese organizations. The campaign disseminated multiple malware families, including Purple Fox and Sainbox RAT (also known as FatalRAT), a variant of the Gh0st RAT trojan. Based on its ability to capture sensitive data and deploy more payloads onto compromised computers, the malware is thought to have been created by a threat actor operating from China.
First, a downloader is used to retrieve a file called "NTUSER.DXM" from the same server using an HTTP File Server (HFS). This file is then decoded to extract a DLL file that downloads "client.exe" from the database. To avoid detection, the decrypted DLL is also made to identify and stop anti-malware programs from Qihoo 360 and WinRAR. The downloader then uses these three files—"WINWORD2013.EXE," "wwlib.dll," and "xig.ppt"—to obtain files from the HFS server.
The malicious software then starts "WINWORD2013.EXE," a genuine Microsoft Word program, and uses it to sideload "wwlib.dll," which creates system persistence and loads "xig.ppt" into memory. “Xig.ppt,” which has been decrypted, now proceeds with the execution process, serving as a means to decode and introduce shellcode into svchost.exe. The malware starts svchost.exe as a suspended process, loads memory into it, and inserts shellcode.
On the other hand, the shellcode has the setup required to make contact with a command-and-control (C2) server and download the ValleyRAT payload, which is a DLL file. The researchers noted that ValleyRAT employs a complex, multi-phase procedure to compromise a system, with the ultimate payload handling the majority of the malevolent actions. This phased strategy and DLL side-loading are probably intended to make it easier to get beyond host-based security programs like antivirus software and EDRs.
This development coincides with the discovery of a phishing campaign that uses an upgraded version of the keylogger and information stealer Agent Tesla to target Spanish-speaking individuals. The attack chain leverages Microsoft Excel Add-Ins (XLA) file attachments to launch a PowerShell script that loads a JavaScript code intended to launch a loader to retrieve Agent Tesla from a remote server. This code exploits known security flaws (CVE-2017-0199 and CVE-2017-11882).
This version gathers email addresses and credentials from the victim's device, along with the program that gathers the data and the device's fundamentals. If the victim uses Thunderbird as their email program, Agent Tesla can also gather their email contacts.
Impact
- Cyber Espionage
- Sensitive Data Theft
- Unauthorized Access
Indicators of Compromise
IP
- 101.33.117.200
- 43.129.233.146
- 43.132.212.111
- 43.129.233.99
- 119.28.32.143
- 43.132.235.4
MD5
- 984878f582231a15cc907aa92903b7ab
- 56384012e4e46f16b883efe4dd53fcb0
- 8c0cde825ee2d3c8b60cd2c21d174d4c
- 85f1c63c40918eb300420152eaf78e2c
- 0b63f0b83f78dff04ae26fe6b1da3b29
- 81ab4d6b9a07e354b52a18690f98b8aa
- b79c69bb5d309b07e10a316ee9c2223e
- ddb3c71de77a18421f6e86bc9fec6697
- eb953e5f2a3eb68756f779b3fa4d5c4e
- 8995fbb4679ddd1516eacb3e453cb1ba
- 9aec2351a3966a9f854513a7b7aa5a13
SHA-256
- 470b18288f1fce4c024be7f7f01d66b062fbe41ff53d7fe50eef9d44ff79ad4b
- 1cf712b65cb67a06b0376921ffe2a697fc34284140eb6c79738daee3367dfec8
- 41d7e67176eb1c406fb8c545e4d14fa694a63bf38aa7423d61d8cd48999e40ce
- 3c9fe665d6170d6791182b565acead30e6c658962dd70af03f29826d4c35081e
- 24daf0b69dcc17c24bbc858d166cc85270bf82ab57bc159e88f193c7dc0b1501
- 4215b084afa323f090c209518501d2ae0e9fa27cfc7cfe791a668e8802c6be61
- 5010b0a72cf94c29d94e119767e2920ca5589055c89f4852273dc50420eb15e8
- 0d3dd8eb56184193ac883eb235746bb53e18fa2f8a735afad8eb9b04fe006678
- 06fc07710e9932a3ca4072adbe5bdea1b59336a888a7e2bdf001bc1f8955e8de
- 773a1cd04612e4e7346b200b46990d9ecc07aa9f917c0b0d7cc1975241d029ed
- f5ebe440931d1d003a51133ad1f727daf2410ba50d9f51818938c269bb7fe806
SHA-1
- d9ae9b2fa642658dc691442e197be96dc0dcd4c1
- 22cd0f235d5744a0585bebc9ebad2221e61ad5f8
- f3f6a4617434ca8ce876ae366d731c336109e83f
- beb906af13918b4ce21b02aa758da180e7273945
- e69e4abd0d73a93ce4e75105a04c8b2a0f0541cd
- 63d1d132dc05dd37e4f94dc8e22f3d0c3e700be0
- d8477bcd00e5ec0eaec26f640b792a48c420b222
- 4882903d0ce80b7667fec1839c05edf49f7fb4d9
- f95f196eb050fd5e119cd3c0b28a26a48dae4677
- 857fa64483f911aaf2ed6238dec1b46d7017a1eb
- e11065431381023d16190b390504390dfeea16a9
URL
- https://2024aasaf.oss-cn-hongkong.aliyuncs.com/TARE961424.exe
- https://2024fapiao.oss-cn-hongkong.aliyuncs.com/82407836%E5%87%BD%E6%95%B0.exe
- https://scpgjhs.com/TARE965624.exe
- http://tzsxr.com/customer.exe
- http://kfurl.cn/kvukj
- http://fpwenj.zhangyaodong5.com/TARE985624.exe
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Ensure all operating systems and software are up to date with the latest security patches.
- Employ reliable antivirus and antimalware software to detect and block known threats.
- Regularly update these tools to maintain the latest threat intelligence.
- Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
- Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
- Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
- Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
- Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
- Segment your network to limit lateral movement for attackers.
- Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
- Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
- Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.