A sophisticated new strain of remote access malware is infiltrating corporate networks, exhibiting behavior unlike previous threats from this group. Identified as ValleyRAT, the malware is orchestrated by the hacking group SilverFox and is notable for its multi-layered payload delivery.
Multi-Stage Malware Deployment
ValleyRAT distinguishes itself by employing an elaborate eight-stage delivery process, far exceeding the typical two or three stages used by most remote access trojans. This complex structure culminates in the deployment of a kernel-level rootkit that receives direct commands from the RAT itself. The intricate layering not only complicates detection and analysis but also contributes to the campaign’s ongoing success without early detection.
Researchers at Gen Threat Labs discovered the campaign, noting self-modifying installer files that adapted to each new victim. Their findings, shared with Cyber Security News, provide a detailed view into SilverFox’s advanced toolset.
Stealth Techniques and Payload Delivery
SilverFox initiates ValleyRAT infections through DLL sideloading, introducing a malicious file alongside a legitimate application. Once active, the malware disables antivirus scanning and logging tools. It conceals subsequent payloads within the pixel data of PNG images using a technique known as steganography, which is employed at multiple stages.
Escalating its privileges, ValleyRAT extracts additional payloads from images and uses Donut, a popular loader, to execute shellcode stealthily. The orchestrator component of ValleyRAT then activates a RAT written in Go, communicating with command servers via WebSocket and QUIC protocols to blend with normal web traffic.
Data Theft and Persistent Threats
Beyond mere access, ValleyRAT is designed for data exfiltration. It monitors clipboards for cryptocurrency wallets, replacing them with addresses controlled by attackers, leading to significant financial thefts. Additionally, it targets data from Telegram accounts, granting attackers access to private conversations and account details.
The adaptability of ValleyRAT is evident in its ability to deploy additional plugins post-infection, tailored to the victim’s value. Researchers observed 13 different polymorphic samples over a short period, each slightly altered to evade signature-based detection mechanisms. This adaptability, combined with daily file path rotations, enhances its persistence.
Implications for Cybersecurity Defenders
The ongoing SilverFox campaign underscores the evolution of remote access trojans into complex, multi-stage threats. Cybersecurity defenders must now contend with advanced loading mechanisms, steganography-based payload concealment, and kernel-level rootkits. Organizations are advised to monitor for unusual named pipe activities, unexpected child processes under Windows’ svchost, and anomalies in software installation signatures.
Indicators of Compromise (IoCs) have been identified, including specific SHA-256 hashes and domain names used by the command and control servers. However, these indicators are defanged to prevent accidental activation and should be re-analyzed in secure threat intelligence environments.
Enhancing security operations is crucial to combat such sophisticated threats, and organizations are encouraged to integrate advanced tools like ANY.RUN to accelerate threat detection and response.
