A sophisticated cyberattack campaign is leveraging a convincing fake version of the popular Huorong Security antivirus website to distribute a dangerous Remote Access Trojan (RAT) known as ValleyRAT. Threat intelligence indicates this operation is tied to the Silver Fox APT group, a Chinese-speaking entity notorious for compromising legitimate software. The attackers have meticulously crafted a fraudulent website that closely mimics the legitimate huorong.cn domain, employing typosquatting by registering a nearly identical address, huoronga[.]com, to ensnare unsuspecting users who might mistype the URL or click on malicious links.
This deceptive tactic targets individuals actively seeking to enhance their digital security, exploiting their trust in reputable antivirus brands. The infection chain, as detailed by researchers, involves users being directed to the fake download page where clicking a seemingly legitimate download button initiates the malware delivery. The payload is then served from Cloudflare R2 storage, further obscuring the attackers’ infrastructure. The downloaded archive, ominously named BR火绒445[.]zip, uses Huorong’s Chinese name to maintain its disguise.
ValleyRAT Deployment Through Fake Huorong Site
The success of this campaign hinges not on exploiting unknown software vulnerabilities, but on a well-executed social engineering strategy. The attackers rely on the creation of a visually convincing replica of the Huorong Security download page and a realistic installer package. The broader attack vector capitalizes on the common user behavior of clicking the first search result, especially when seeking security software, making the deception particularly effective.
Once ValleyRAT, a potent Remote Access Trojan, is successfully installed on a victim’s system, it grants attackers extensive control. This includes the ability to monitor user activities, exfiltrate sensitive data, and remotely operate the compromised computer. The malware is equipped with a range of malicious functionalities, such as keystroke logging, the theft of browser cookie files, the collection of system information, and the capacity to inject code into legitimate processes for stealthy execution.
The modular nature of ValleyRAT is a significant concern. This design allows the attackers to dynamically download additional malicious modules on demand, making it challenging to ascertain the full extent of any compromise. This adaptability means the threat posed by ValleyRAT can evolve and expand, posing an ongoing risk even after initial detection.
Persistence and Evasion Tactics Employed by ValleyRAT
Upon gaining initial access, ValleyRAT employs several tactics to ensure its persistence and evade detection. It is known to instruct Windows Defender, via PowerShell commands, to exclude its primary persistence directory, located at AppDataRoamingtrvePath, and its main executable, WavesSvc64.exe, from scans. This exclusion is a critical step in maintaining access without immediate flagging by security software.
Furthermore, the malware establishes a foothold by creating a scheduled task named “Batteries” within the C:WindowsTasksBatteries.job path. This task is configured to re-execute the malware automatically upon every system boot, ensuring continued presence. It also attempts to reconnect to its command and control (C2) server, identified at IP address 161.248.87[.]250, using TCP port 443, a common port for encrypted traffic, which aids in masking its malicious communications.
To further enhance its stealth, ValleyRAT actively employs evasion techniques. It can delete and rewrite its own core files to circumvent signature-based detection methods used by antivirus software. The malware also performs checks to detect the presence of debuggers or virtual machine environments, which are often used by security researchers to analyze malware. If such an environment is detected, the malware may halt its full deployment to avoid analysis.
Configuration data, including the encoded C2 domain, yandibaiji0203[.]com, is stored discreetly within the Windows registry under the key HKCUSOFTWAREIpDates_info. This method of storing sensitive information is common among malware to keep configuration data separate from the main executable and potentially encrypted or obfuscated.
Mitigation and Indicators of Compromise
Organizations are advised to implement immediate security measures to counter this threat. Network security teams should prioritize blocking all outbound connections to the identified C2 IP address 161.248.87[.]250. It is also crucial to conduct thorough audits of Windows Defender exclusions to identify and remove any unauthorized modifications that may have been made by the malware.
Endpoint detection and response (EDR) tools should be configured to search for the presence of the “Batteries” scheduled task, indicative of the malware’s persistence mechanism. Additionally, scanning for the existence of the %APPDATA%trvePath directory, where the malware stores its core components, can serve as another strong indicator of infection.
The ongoing evolution of such attack vectors underscores the importance of user education regarding online security practices, particularly concerning software downloads and vigilance against phishing attempts. As threat actors continuously refine their methods, proactive security measures and rapid threat intelligence sharing are paramount in protecting against sophisticated malware like ValleyRAT.