Cybersecurity researchers have reported a series of targeted cyber attacks across Chinese-speaking regions employing ValleyRAT malware. The attacks utilize a multi-stage loader, PNGPlug, to deliver the malware payload through a malicious Microsoft Installer (MSI) package that tricks victims into downloading it. This process involves executing benign applications that hide the payload while employing a hardcoded password to decrypt malware components. ValleyRAT, a remote access trojan enabled since 2023, allows unauthorized control over infected systems, further revealing its connection to organized threat groups.
The MSI package uses the Windows Installer's CustomAction feature, enabling it to execute malicious code, including running an embedded malicious DLL that decrypts the archive (all.zip) using a hardcoded password 'hello202411' to extract the core malware components.
ValleyRAT, detected in the wild since 2023, is a remote access trojan (RAT) capable of providing attackers with unauthorized access and control over infected machines.
Collection
[
|
...
]