ValleyRAT Attacking Org’s Accounting Department with New Delivery Techniques

A concerning uptick in cyberattacks has emerged with ValleyRAT, a Remote Access Trojan (RAT) linked to the Silver Fox advanced persistent threat (APT) group.

The malware is now employing innovative delivery techniques to infiltrate organizational networks, targeting finance and accounting departments.

Recent reports from Morphisec Threat Labs indicate that the attackers have refined their tools and strategies, making ValleyRAT more potent than ever.

The latest ValleyRAT campaign begins with users being lured into downloading malicious software mimicking legitimate applications.

A fake Chrome browser, hosted on phishing websites like “anizom[.]com” or via domains impersonating reputed Chinese businesses, serves as the primary infection vector.

For instance, the attackers created a counterfeit website, “karlost[.]club,” designed to resemble the legitimate Chinese telecom provider, “karlos[.]com.cn.”

Once unsuspecting users execute the downloaded package (“Setup.exe”), the malware initiates a multi-stage payload delivery, masked as innocuous files including “sscronet.dll” and “douyin.exe.”

These components are stored in system directories to evade detection.

Refined Exploitation Techniques

ValleyRAT employs DLL search order hijacking, leveraging legitimate signed executables like Steam-related binaries to inject malicious code.

The malware uses game files from titles such as Left 4 Dead 2 and Killing Floor 2 to conceal its activities.

After deployment, it utilizes advanced techniques such as memory injection into critical Windows processes like “svchost.exe,” enabling it to execute malicious payloads while avoiding detection by traditional endpoint security solutions.

Persistence mechanisms are another hallmark of the malware.

For example, ValleyRAT modifies system registries under the guise of legitimate software, embedding itself into startup processes with entries like “MyPythonApp.”

It also exploits keylogging functionality, capturing sensitive information and recording keystrokes in hidden files such as “sys.key.”

Additionally, the malware integrates anti-virtual machine capabilities to detect sandbox environments, a tactic that further enhances its ability to evade cybersecurity tools during forensic analysis.

Strategic Focus on Accounting and Finance Departments

What sets this campaign apart is its strategic targeting of high-value organizational roles.

Finance and accounting professionals, holding access to sensitive systems, are prime targets for this malware strain.

This focus signals a deliberate intent to exploit critical business operations for financial gain or data exfiltration.

According to the Morphisec report, the ValleyRAT campaign underscores the growing sophistication of advanced persistent threat actors and their evolving delivery techniques.

Traditional detection-based cybersecurity measures may fall short against such innovative attacks.

Organizations are encouraged to adopt preemptive strategies, such as Moving Target Defense (MTD), which can proactively mitigate risks by disrupting the attack chain before payload execution.

By focusing on adaptive and layered security models, businesses can protect sensitive departments like accounting from being a playground for next-generation cyber threats.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free