A new sophisticated malware campaign is targeting Chinese-speaking users, distributing the ValleyRAT backdoor disguised as a legitimate installer for the popular messaging application, LINE. This deceptive tactic aims to infiltrate user systems and steal sensitive login credentials. The malware employs a complex, multi-stage infection process designed to bypass security measures and establish long-term surveillance.
The attack discovered by Cybereason analysts involves a fake LINE installer that, upon execution, immediately attempts to disable Windows Defender. It uses PowerShell commands to exclude entire system drives from antivirus scanning. This evasion technique allows the malicious payload to operate with reduced detection risk.
Sophisticated Evasion and Injection Techniques Employed by ValleyRAT
Following the initial disinfection attempt, the malware deploys a malicious library, identified as intel.dll. This library performs thorough environmental checks, including file locking and mutex creation, to detect if it is running within a sandbox environment. If the environment is deemed safe and not sandboxed, the malware proceeds to unpack its primary payload, effectively compromising the user’s device.
The campaign leverages an advanced technique known as the PoolParty Variant 7 injection. This method allows attackers to hide their malicious activities within the memory space of legitimate system processes, significantly complicating detection by security software. By exploiting Windows I/O completion ports, the malware injects its code into trusted processes, enabling stealthy operation while it proceeds to harvest user credentials and maintain communication with command-and-control servers.
The injected malicious code targets critical system processes. According to Cybereason’s analysis, the malware injects code into Explorer.exe and UserAccountBroker.exe. The latter process, UserAccountBroker.exe, is specifically used as a watchdog mechanism to ensure that the malicious components remain active and persistent on the compromised system. This level of integration into core system functions highlights the sophistication of the ValleyRAT variant.
The injection process relies on the manipulation of system handles through specific Windows APIs, such as ZwSetIoCompletion. This enables threat actors to execute their code within the memory space of seemingly legitimate processes, making the malicious activity harder to distinguish from normal system operations.
Additionally, the malware actively scans for and attempts to disrupt security products, particularly those from vendors like Qihoo 360. It aims to terminate network connections associated with these security solutions, thereby blinding local defenses and further reducing the chances of detection.
Persistence Mechanisms and Digital Certificate Deception
To ensure the malware remains active even after a system restart, it registers scheduled tasks using Remote Procedure Call (RPC) protocols. This guarantees that the malicious code automatically executes upon user login, maintaining a persistent presence on the infected machine.
A notable tactic used by the attackers is the employment of a digital certificate. This certificate is issued to “Chengdu MODIFENGNIAO Network Technology Co., Ltd.” and is presented to make the fake installer appear legitimate. However, upon closer inspection, the signature associated with this certificate is cryptographically invalid, indicating a deliberate attempt at deception.
To prevent falling victim to such attacks, users are strongly advised to download software installers exclusively from official and trusted sources. Security professionals should implement detection rules that flag invalid digital certificates. Furthermore, monitoring for suspicious child processes spawned by Explorer.exe, such as UserAccountBroker.exe, can serve as an indicator of potential process hollowing activities, a common technique used in advanced malware infections.