Researchers from Intezer Labs have uncovered a series of cyber attacks targeting Chinese language regions, including Hong Kong, Taiwan, and mainland China. These attacks involve the use of a multi-stage PNGPLUG bootloader to distribute the malicious Valleyrat malware.
The attack begins with a phishing page that deceives victims into downloading a malicious MSI file disguised as legitimate software. Upon execution, the MSI file performs two functions: it installs a harmless application to create a false sense of legitimacy and extracts an encrypted archive containing malicious components.
The MSI file leverages the Windows Installer Customction function to execute malicious code. The encrypted archive, named “All.zip,” is decrypted using the predefined password “Hello202411.” Key components of the malware include Libcef.dll (bootloader), “Down.exe” (legitimate application), and “Aut.png” and “View.png” files disguised as images but containing malicious data.
The Libcef.dll bootloader is responsible for setting up the environment for the malicious software. It modifies the NTDLL.DLL system file to load data into memory and processes the command string parameters. If it detects the “/AUT” parameter, the bootloader directs execution to the “Down.exe” file, writes it to the registry, and runs the code from the “Aut.png” file. Otherwise, the View.png file is executed, and its contents are injected into the “Colorcpl.exe” process.
Valleyrat, deployed through PNGPLUG, is a sophisticated malware associated with the Silver Fox group. This tool employs multi-level execution mechanisms, such as in-memory Shell execution, privileged operations, and persistent system presence through registry and scheduled tasks.
Analysis reveals that these attacks employ a variety of tactics, including phishing sites, deceptive files posing as legitimate applications, and the exploitation of free software commonly used by employees in the absence of corporate tools.
The apt-group known as Silver Fox specializes in espionage operations targeting Chinese-speaking organizations, utilizing Valleyrat and GH0ST RAT for data collection, surveillance, and delivery of additional modules. This campaign focuses on a specific language audience, underscoring its strategic scope. The lack of cybersecurity investment by the victims increases their