The threat actor known as Silver Fox has turned its focus to India, using income tax-themed lures in phishing campaigns to distribute a modular remote access trojan called ValleyRAT (aka Winos 4.0).
“This sophisticated attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence,” CloudSEK researchers Prajwal Awasthi and Koushik Pal said in an analysis published last week.
Also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne, Silver Fox is the name assigned to an aggressive cybercrime group from China that has been active since 2022.
It has a track record of orchestrating a variety of campaigns whose motives range from espionage and intelligence collection to financial gain, cryptocurrency mining, and operational disruption, making it one of the few hacking crews with a multi-pronged approach to their intrusion activity.
Primarily focused on Chinese-speaking individuals and organisations, Silver Fox’s victimology has broadened to include organizations operating in the public, financial, medical, and technology sectors. Attacks mounted by the group have leveraged search engine optimization (SEO) poisoning and phishing to deliver variants of Gh0st RAT such as ValleyRAT, Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).
In the infection chain documented by CloudSEK, phishing emails containing decoy PDFs purported to be from India’s Income Tax Department are used to deploy ValleyRAT. Specifically, opening the PDF attachment takes the recipient to the “ggwk[.]cc” domain, from where a ZIP file (“tax affairs.zip”) is downloaded.
Present within the archive is a Nullsoft Scriptable Install system (NSIS) installer of the same name (“tax affairs.exe”), which, in turn, leverages a legitimate executable associated with Thunder (“thunder.exe”), a download manager for Windows developed by Xunlei, and a rogue DLL (“libexpat.dll”) that’s sideloaded by the binary.
The DLL, for its part, disables the Windows Update service and serves as a conduit for a Donut loader, but not before performing various anti-analysis and anti-sandbox checks to ensure that the malware can run unimpeded on the compromised host. The lander then injects the final ValleyRAT payload into a hollowed “explorer.exe” process.
ValleyRAT is designed to communicate with an external server and await further commands. It implements a plugin-oriented architecture to extend its functionality in an ad hoc manner, thereby allowing its operators to deploy specialized capabilities to facilitate keylogging, credential harvesting, and defense evasion.
“Registry-resident plugins and delayed beaconing allow the RAT to survive reboots while remaining low-noise,” CloudSEK said. “On-demand module delivery enables targeted credential harvesting and surveillance tailored to victim role and value.”
The disclosure comes as NCC Group said it identified an exposed link management panel (“ssl3[.]space”) used by…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
