A new cybersecurity threat has emerged as malicious actors deploy the ValleyRAT backdoor, masquerading as the legitimate installer for the popular messaging app, LINE. This campaign is primarily targeting Chinese-speaking users, aiming to infiltrate their systems and steal sensitive login credentials.
Deceptive Entry and Execution
The threat actors are using a fake LINE installer to initiate a complex infection process. The malware employs advanced techniques, including executing shellcode and utilizing legitimate system binaries, to bypass security measures and establish a long-term presence on the affected device.
Upon execution, the installer activates a multi-stage infection chain, which includes efforts to disable Windows Defender by executing PowerShell commands. These commands attempt to exclude entire system drives from antivirus scanning, allowing the malware to operate undetected.
Advanced Evasion Techniques
The ValleyRAT malware employs sophisticated methods to avoid detection. It incorporates a malicious library named intel.dll, which conducts thorough environmental checks to determine if it is being run within a safe environment. If deemed secure, it proceeds to unpack its primary payload, fully compromising the device.
According to analysts from Cybereason, the malware uses the advanced PoolParty Variant 7 injection technique. This approach allows attackers to conceal their malicious activities within trusted system processes, making detection by security software significantly more challenging.
Persistence and Data Theft
To maintain persistence, the malware injects code into processes like Explorer.exe and UserAccountBroker.exe. The latter acts as a watchdog, ensuring that the malicious components remain active. By exploiting Windows APIs, the malware executes code in the memory space of these trusted processes.
Moreover, the malware actively targets security products from vendors such as Qihoo 360, terminating their network connections to disable local defenses. Scheduled tasks are registered via Remote Procedure Call protocols, ensuring the malware runs automatically upon user login.
To legitimize its presence, the malware uses a digital certificate issued to “Chengdu MODIFENGNIAO Network Technology Co., Ltd,” although the cryptographic signature is found to be invalid. Users are advised to download installers only from official sources to prevent infection.
Security teams are encouraged to configure detection rules to identify invalid certificates and monitor suspicious child processes spawned by Explorer.exe, as they indicate potential process hollowing activities.
Stay informed by following us on Google News, LinkedIn, and X for more updates. Set CSN as a preferred source in Google for the latest cybersecurity news.
