The infection chain begins with a phishing page designed to trick victims into downloading a malicious Microsoft Installer (MSI) package disguised as legitimate software. Upon execution, the installer deploys a benign application to evade detection while covertly extracting an encrypted archive containing the malware. The MSI package leverages the Windows Installer's CustomAction feature to run malicious code, including a DLL ("libcef.dll") that decrypts an encrypted archive (all.zip) using the hardcoded password "hello202411" to release key malware components. These include a legitimate application ("down.exe") used as a decoy, and two files masquerading as PNG images ("aut.png" and "view.png").

PNGPlug, the DLL loader, prepares the system for the malware by injecting the disguised PNG files into memory, enabling persistence through Windows Registry modifications and executing ValleyRAT. Active since 2023, ValleyRAT is a remote access trojan that provides attackers unauthorized control over compromised systems. It includes capabilities such as capturing screenshots and clearing Windows event logs.

The attacks are attributed to the Silver Fox threat group, which shares similarities with the Void Arachne group, including the use of the Winos 4.0 command-and-control (C&C) framework. The campaign stands out for its focus on Chinese-speaking demographics and its use of software-related lures to initiate the infection chain. The sophisticated integration of legitimate software with malware and the modularity of the PNGPlug loader make this attack particularly insidious and adaptable to various campaigns.

Researchers highlight the attackers’ ability to blend malicious activities with benign applications, demonstrating advanced strategies to bypass detection and maintain persistence.

Impact

• Cyber Espionage
• Sensitive Data Theft
• Unauthorized Access

Indicators of Compromise

MD5

• d44ec71c940ec762494e73f919c38ccf

• 9ac2c0aab59be47ced6cc8616280393f

• be712a749947f0c11fabe0d701041231

• 62dc2f5f032a81f76fd676a8e4ffa514

• ec947b19114e061d83ba11df66da6cb8

• 93fdb041bbc6181578fbe590fcd7d217

• 17392aab658f9528014ec14e22db9bbb

• 86095cb66626ebf4180658984e5220c6

• 819b8e127f4500bcd789900110e10a61

• 682c0f0630cc582397dcb94055a2fd44

• 0bf98235ac16f98e8e104b46a1d974a7

• 0fa07d227af0688cac5882e3d99848b2

• 143b59cd302d0ca40f146ba53aaaaad5

• b51b606d16b90747fd3194765b0c75f7

• e9944e3c92f547a98109145d77ae72a5

• 3607956ac07fc8c2d17e8d5b8061dc9d

• 3ca9c24399fdf43b416ef4cc67e4b071

• 0334545cbcb924b7de4c108e3fa1bc0f

• 981f0dba7b63fd17f1a519603be0c8d4

• 3b5d7670c71635264b14529e4e8242c4

• 98b3e06a9f8def8160871960994ffad9

• df350679413b29853391a24022944404

• d4ec1ee084e5cab3e53ddd3610856662

• ffeca40ce15d2b36d4b8943340fd32f9

• 2b3adbdf56ca2ae3b087f42ff6119e52

• 884df0442241c20ca539ebfd0151aeac

• 8f6d9a96b70f059898daac49a39b7c52

• 916aa96572279704b4d65b0920ec1dec

SHA-256

• 08dad42da5aba6ef48fca27c783f78f06ab9ea7a933420e4b6b21e12e550dd7d

• 33bc111238a0c6f10f6fe3288b5d4efe246c20efd8d85b4fe88f7d602d70738e

• 50a64e97c6a5417023f3561f33291b448ce830a4d99c40356af67301c8fa7523

• 6d4dd4334791c91bb09e7a91dd5c450b2c6e3348a5586de011c54ce3f473f619

• 76fc76dc651c3cc9d766a6ad8a90f605326463bc4cb2f8f053d44dfbc913beee

• ad23f5c9bab137dc24343fc410f7587885aab6772dee5e75a216ed579c6ee420

• c497506fe2df57c39fcf92398f4864ca4bfcb1a6f2f80c3c520166bc61882855

• e49b085f5484531395b5a7903f004b2a02a2b4ebfa46116d1a665ba881b1f528

• 79acdca5247ca9719f2f3a34c7942cd60b209f7b616efa5dd81e6656a8baf9a5

• e9e4751c88d3a1a4bfdd5d07bb35636787b0d6fbf68b17642d3fe03cbe5ebf70

• de8a0da702a491f610b9e85050d8641cadf4ed84edf4d151f94335b0d78d6636

• 6d2a4d9e2fc6e4dac2c426851b4bdf86dd63a5515d8d853e622a0bc01d250ce9

• 4a68bdfa3e31a8c063bbf94469160eb7998a556027d5ad33f37c347a71c2d3a4

• 7c31c4d0308fb1d67f6af48a76138a9db19f494c1e9a12debdcca7382ad5418c

• 5f9a5ad43a9f79976cd7014ce072429ef2edbae872b4226372cfb07d8a86b8a5

• 3ac3ca18142a935608cb0d2c8d6421ebb9abc30bce93f094447b9c3f63fe791b

• 9d97f3f55bc647911e14a36c83f263e91662cf9d13a2fc3ec7c92dedb8977d37

• c070749f95aeeefcd1c3a875c1b8e77b57cad0c8338436af9a3c9e1323fd4e11

• 7eaed6fa867875119c3ebb40aa24716d91fdbccb2106fa4708ff0637920a920c

• fa26722e99763a29af160fae64183a47a57362b666753624b78e954c8cde0525

• 9aa51d1c82fdbc8f0f27340180bd40faa7e76b8ac6d204b2d3548cfd0897d805

• 58416315c61ed5cb2c754244ed5c081963dabf3e698b04226a00f978cd913e84

• f2f96e5ac1b4bd6cac49c71ca2010dcbe5751757483520cfc7dddf4fb7186044

• 46af73560cafff5c8bbc16980d01641af0de3b689bc248dfb52afcf3a8a76a55

• 7bff2404c2816c4e1576d449820f01e3f46e7c972beb1843e3b8da2e065f8dc3

• 94ff4679dd5aec7874354c14132701ecdfbbb558c6011e4952d13bf843255529

• ae6d88ea99e530f778ee6088862b50dfb6e8bb45857211e9105428c57c2a7b4a

• 9aea0fdfead2e956bc0b4574c2b4cb2855dd9df6a5fd61d350f3285d249adfca

SHA1

• 2fdaf09ae44300bc06aee24f69dec13e8c3e4103

• b0dfeb9908bbb724eeef64e1343ccbdf5dfb876f

• 705f916f15d7d02b902e28405a14a9c417f5cce0

• 97dba86ca25cc619036735a1a64981e9a03fef5e

• 8e2f3fdef074c1dcc8e66772a4c80f16b59318b2

• 6cb6b6bc0d6ddc5d114af2d600346e0fe79aabdc

• 9232f907f0ef9b218d3fe5497e97de4cda82c5c1

• 88a8868a6b4e6729c8d6d7fa00ea86aad349941b

• ba60e7f23b7de97d4338f019a76e7d0fabe67655

• e7c8ce8a50171b24a2f4fabd9fd307b663c78ad0

• 21d9e5c6a124897f2e56a63930d96e85994f118b

• beeb80eb0a4151342646fa0dcf2878b8e43cd872

• a8a5345e19b20500b62629f14060aefc883e3b52

• 473cbf1bb29863c4275f5d78415596df11f735e4

• c5d47880e1622279df63c27eb62131f61c5b3c0a

• 2d4853e921f1c9b61d06ce83cf01d06f74188032

• 5d687ddbf7069469216b2581bc7db1031eca66a0

• 2f64e28b02b39f2dbf74b1a163b8d1db04a9e5ab

• f7ca6933eeb9fbc1d79a7e0d338c61648a0f9a37

• f29b556efebbdb8202835a2550f4417424915250

• f555ee796870026ffdad9b05eeeec5e4caf65bb5

• dd58a73dad912e61c2b2be068233337f5a498ff7

• 037d70ba1ab2c1e12fb8455446e8f957d6017945

• 7e699f2673ea1bbb9cb6652d4979bb5c1b5b1b79

• 447c34bb6716d272042d22c59c941ee6d15ee711

• 2ce915a8e768411dbbcb62e0580a3563cc98bf81

• 6c53ae6210d9f6788b6c9cadf170a165b80ae7e1

• 60e2d2dd83f4d3cc3bfa33cd6ed46868c67a5c09

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.