Cybersecurity researchers at Zscaler have delved into the methods utilized by ValleyRAT, a sophisticated Remote Access Trojan (RAT) that emerged earlier this year. This malware employs various techniques to gain unauthorized access to victims’ systems, often leveraging complex multi-stage payloads to evade detection by security software.
ValleyRAT is a remote access tool observed first in early 2023. It aims to compromise systems and provide unauthorized access to threat actors. A recent campaign has been discovered, delivering the latest version of ValleyRAT through several stages. This version includes enhanced capabilities, such as advanced evasion techniques and enhanced functionality for persistence within compromised systems.
Campaign Analysis
The initial phase of infection involves a downloader that retrieves and decrypts XOR and RC4 encrypted files, including essential DLL payloads. These DLLs check for and terminate certain security processes while downloading additional files. One of these files is executed with administrative privileges, initiating a secondary stage of the attack. The campaign uses an HFS server for downloading components and conducting command-and-control (C2) communications, expanding the malware’s functionalities with new commands like taking screenshots and clearing logs.
As part of the infection process, the malware sideloads a malicious DLL that unpacks and loads additional encrypted payloads. This secondary payload injects itself into a suspended system process to ensure persistence and evade detection. The injected shellcode dynamically resolves APIs, retrieves C2 configurations, and executes further encrypted payloads, maintaining a foothold on the infected system.
The malware establishes persistence by adding its loader to autorun and hiding component files. It uses sophisticated methods like process injection and API resolving to deliver multiple stages of its payload stealthily. The final payload involves a decrypted shellcode reflecting DLL loading and parsing configuration strings that communicate with the C2 server to download additional data.
ValleyRAT engages in multi-stage payload delivery, utilizing techniques such as process injection, configuration parsing, and registry storage to maintain stealth and persistence. The malware’s evolution includes new device fingerprinting fields, an altered bot ID generation algorithm, and additional commands, enhancing its effectiveness in compromising targeted systems.
Key Insights
– ValleyRAT employs multi-stage payload delivery for stealth and persistence.
– The malware uses XOR and RC4 encryption for its payloads.
– It adapts to avoid detection by security software through process injection and API resolving.
The recent analysis by Zscaler highlights ValleyRAT’s advanced capabilities and the continuous evolution of its techniques to stay ahead of detection measures. The malware’s use of sophisticated multi-stage payload delivery and evasion tactics makes it a significant threat to computer systems. This research offers valuable insights for cybersecurity professionals to develop better detection and mitigation strategies.
