A sophisticated backdoor malware known as ValleyRAT, also referred to as Winos or Winos4.0, has emerged as a significant threat targeting organizations globally. This modular malware family is particularly adept at compromising Windows systems, including the latest Windows 11 installations even with updated security patches. Recent developments indicate a shift in the threat landscape following the public leak of the ValleyRAT builder, making it accessible to a wider range of cybercriminals.
ValleyRAT’s attack vectors are multifaceted, operating across various system levels. As a comprehensive remote access trojan, it can deploy numerous plugins to achieve deep system compromise. Initial infections often utilize first-stage plugins like the Online Module or Login Module, which function by connecting to command-and-control (C2) servers. These initial stages are crucial for retrieving and loading more specialized plugins, allowing attackers to gradually expand their presence within compromised networks.
The deployment of more advanced components is reportedly determined by the attacker based on the value of the victim, meaning many infected systems may only experience basic functionalities. This modular approach highlights a sophisticated understanding of Windows operating system internals. Security analysts at Check Point have noted that the developers of ValleyRAT demonstrate extensive knowledge of both kernel-mode and user-mode mechanisms, suggesting a coordinated and specialized development team rather than a disparate group of contributors.
The Kernel Rootkit Mechanism of ValleyRAT
A particularly concerning aspect of ValleyRAT is its embedded kernel-mode rootkit driver, which is part of its Driver Plugin. This rootkit is capable of maintaining valid signatures and can be loaded onto fully updated Windows 11 systems. This ability allows it to bypass modern security features designed to protect against such threats, representing a significant security gap for defenders worldwide. According to Check Point researchers, approximately 85 percent of detected ValleyRAT samples have appeared in the past six months, directly coinciding with the public release of the malware’s builder.
The rootkit employs stealthy driver installation techniques alongside user-mode shellcode injection facilitated by asynchronous procedure calls. In its operations, the malware has been observed to aggressively remove antivirus and endpoint detection and response drivers from targeted systems. Specific security solutions from vendors such as Qihoo 360, Huorong Security, Tencent, and Kingsoft Corporation have been targeted. This deliberate disabling of security tools creates an environment where attackers can operate with reduced interference.
The public availability of the ValleyRAT builder and its development structure has fundamentally altered the threat landscape. Attribution for attacks becomes considerably more challenging, as any actor can now independently compile, modify, and deploy the malware. This transition from an actor-specific threat to an openly accessible malware framework suggests an acceleration of future activity, with more threat groups likely to experiment with the leaked tooling. Organizations must implement robust detection systems and maintain up-to-date security measures to counter this evolving threat effectively.