A new malicious campaign targeting Chinese-speaking users has recently been identified by Fortiguard Labs. Known as Valleyrat, this campaign typically targets enterprises in sectors such as e-commerce, finance, sales, and management.
Valleyrat is a sophisticated malicious software that employs various tactics to monitor and track its victims, as well as deploy additional plugins to cause further damage. One notable feature of Valleyrat is its use of shellcode to execute components directly in memory, which helps it remain undetected in the system.
To appear more legitimate to users, Valleyrat disguises itself using icons of popular applications like Microsoft Office and file names related to financial documents. It even creates an empty file and opens it in an application to mimic legitimate behavior.
After installation, Valleyrat checks for virtual machine environments and terminates if one is detected. It also utilizes techniques like “sleeping mode” to evade detection by antivirus systems, making it challenging to identify and remove.
Valleyrat establishes tasks in the Windows planner for automatic execution upon system startup and exploits known vulnerabilities in legitimate applications to gain administrator privileges without user consent.
Notably, Valleyrat specifically targets Chinese antivirus systems, crippling them and modifying their settings to ensure its stealth. The malicious software also includes remote command functionality, allowing attackers to gain complete control over infected systems.
Capable of executing various commands such as user activity monitoring and installing additional malware, Valleyrat poses a significant threat to its victims. Fortinet is actively monitoring Valleyrat’s activities and continuously updating its antivirus solutions like Fortigate and Fortimail to detect and block this threat.
To safeguard against such threats, it is crucial to regularly update antivirus software and enhance user awareness of potential cyber threats.