Malicious Campaign Targets Users with Fake Antivirus
In a sophisticated cyberattack, threat actors have set up a deceptive clone of the Huorong Security antivirus website to distribute ValleyRAT, a Remote Access Trojan (RAT). This campaign, attributed to the Silver Fox APT group, primarily targets users by masquerading as legitimate Chinese software.
Huorong Security, or 火绒 in Chinese, is a popular antivirus tool across mainland China. Cybercriminals registered the domain huoronga[.]com, closely mimicking the official huorong.cn site, only altering a single letter. This form of typosquatting preys on unwary users who might mistype the URL or fall for phishing links, presenting a convincing facade that few would question.
Technical Analysis of the Attack
Malwarebytes researchers uncovered the full infection sequence, revealing that download requests from the fake site are routed through an intermediary before delivering the payload from Cloudflare R2. The downloaded file, BR火绒445[.]zip, maintains the guise of authenticity by using Huorong’s Chinese name until execution.
This attack does not utilize zero-day vulnerabilities; rather, it relies on a convincing webpage, a realistic installer, and the assumption that many users click the first search result they see. The tactic is particularly effective as it involves a security product, drawing in those actively seeking protection.
Capabilities and Impacts of ValleyRAT
Once installed, ValleyRAT enables attackers to monitor victims, steal sensitive data, and gain remote control over the infected system. The malware is capable of keylogging, accessing browser cookies, querying system information, and injecting code for covert execution. Its modular architecture allows for additional capabilities to be downloaded as needed, complicating the assessment of its full impact.
To maintain persistence, ValleyRAT manipulates Windows Defender via PowerShell to ignore its directories and processes. It establishes a scheduled task named “Batteries” to ensure re-execution upon system boot, maintaining a connection to a command-and-control server.
Protective Measures and Indicators of Compromise
To mitigate this threat, organizations should block outbound connections to the command-and-control IP at 161.248.87[.]250, audit Windows Defender for unauthorized exclusions, and check for the “Batteries” scheduled task and suspicious directories as signs of compromise.
Indicators of compromise include several fake domains such as huoronga[.]com, multiple SHA-256 hashes of involved files, and configuration details stored in the Windows registry. Vigilance and proactive measures are essential to detect and prevent further exploitation.
This campaign highlights the importance of cybersecurity awareness and the need for robust protective measures against increasingly sophisticated threats.
