New Updates to ValleyRAT

216.73.216.6

New Updates to ValleyRAT

· Published 10/06/2024 15:41 · Modified 10/06/2024 16:00

Essential information

Published: 10/06/2024 15:41
Modified: 10/06/2024 16:00
Tags: 2024-06-10 valleyrat
Related entities: 26 observables, 13 techniques (mitre), 1 malware

Description

Zscaler ThreatLabz recently uncovered a new campaign used to deliver the latest iteration of ValleyRAT, a remote access trojan attributed to a China-based threat actor. The campaign involves multiple stages, with the initial stage downloader utilizing an HTTP File Server (HFS) to fetch subsequent components. The malware employs various evasive techniques such as anti-virus checks, DLL sideloading, and process injection. ValleyRAT's latest version introduces new capabilities like capturing screenshots, process filtering, forced shutdowns, and clearing Windows event logs. Additionally, it enhances device fingerprinting and bot ID generation mechanisms.

External references

https://www.zscaler.com/blogs/security-research/technical-analysis-latest-variant-valleyrat
https://otx.alienvault.com/pulse/66671e8ed37c903dcf36edbd