Researchers have reported a series of sophisticated cyber attacks aimed at organizations in Chinese-speaking regions, including Hong Kong, Taiwan, and mainland China.
These attacks employ a multi-stage loader known as PNGPlug to deliver a malware payload identified as ValleyRAT.
The attack chain begins with a phishing webpage that entices victims into downloading a malicious Microsoft Installer (MSI) package disguised as legitimate software.
Upon execution, this installer performs two significant actions:
The MSI package utilizes the Windows Installer’s CustomAction feature to execute malicious code.
This includes running an embedded malicious DLL that decrypts the archive (all.zip
) using the hardcoded password hello202411
, ultimately extracting core malware components such as:
According to the Intezer report, the primary function of the PNGPlug loader (libcef.dll) is to establish an environment conducive for malware execution through several steps:
The following table summarizes the key functionalities of the loader, including command-line argument parsing, memory injection capabilities, and anti-virus detection mechanisms.
Functionality | Description |
---|---|
Patching ntdll.dll | Enables memory injection capabilities. |
Command-line Argument Parsing | – If the /aut argument is present:– Decrypts a registry path using XOR encryption. – Writes the path of down.exe to the registry.– Injects the contents of aut.png into memory.– If /aut is absent:– Executes down.exe with the specified argument. |
Anti-Virus Detection | – Checks for the presence of specific security software (e.g., 360 Total Security). – If absent, maps view.png into memory to create a new process (colorcpl.exe ), injecting its contents.– This process has been observed executing ValleyRAT malware. |
The use of .png file extensions for malicious payloads is a key stealth tactic that inspired the name PNGPlug.
These PNG files contain additional data, specifically PE executables embedded at designated offsets, enhancing their ability to evade detection while executing their payloads.
ValleyRAT is a sophisticated remote access trojan (RAT) attributed to the Silver Fox APT, known for its espionage and cybercrime activities targeting Chinese-speaking individuals and organizations. The malware employs advanced techniques such as:
The malware’s operational stages include initial execution, deployment of obfuscated shellcode, and a loader module that retrieves additional malicious components from command-and-control (C2) servers.
Investigate Real-World Malicious Links & Phishing Attacks With ANY.RUN Malware Sandbox - Try 14 Days Free Trial
156.247.33[.]53
45.195.148[.]107
First stage of the loader:
Brinker, an innovative narrative intelligence platform dedicated to combating disinformation and influence campaigns, has been…
A recent investigation by cybersecurity researchers has uncovered a large-scale malware campaign leveraging the DeepSeek…
A recent malware campaign has been observed targeting the First Ukrainian International Bank (PUMB), utilizing…
A newly discovered malware, dubbed Trojan.Arcanum, is targeting enthusiasts of tarot, astrology, and other esoteric…
A sophisticated phishing campaign orchestrated by a Russian-speaking threat actor has been uncovered, revealing the…
A sophisticated malware campaign has compromised over 1,500 PostgreSQL servers, leveraging fileless techniques to deploy…