Multi-staged Valleyrat Uses Wechat And Dingtalk To Attack Windows...

ValleyRAT has emerged as a sophisticated multi-stage remote access trojan targeting Windows systems, with particular focus on Chinese-language users and organizations.

First observed in early 2023, this malware employs a carefully orchestrated infection chain that progresses through multiple components—downloader, loader, injector, and final payload—making detection and removal significantly challenging for security teams.

The threat actors behind ValleyRAT distribute the malware through phishing campaigns and trojanized installers, exploiting trust relationships common in Chinese business environments.

What distinguishes this malware is its geographic kill switch mechanism that queries the Windows Registry for specific applications before execution.

The malware specifically searches for WeChat (HKCU\Software\Tencent\WeChat) and DingTalk (HKCU\Software\DingTalk) registry entries, terminating immediately if neither is found.

Picussecurity security analysts identified the malware’s advanced evasion capabilities, noting its aggressive approach to bypassing system defenses.

ValleyRAT employs multiple User Account Control (UAC) bypass techniques targeting Windows executables like Fodhelper.exe and Event Viewer, while simultaneously manipulating security tokens to gain SeDebugPrivilege access.

This privilege enables the malware to interact with processes at higher integrity levels, effectively granting system-wide control.

The malware’s creators implemented extensive anti-analysis measures to evade detection in virtualized environments.

ValleyRAT performs CPUID instruction checks to verify genuine Intel or AMD processors, examining vendor strings that virtual environments often fail to replicate correctly.

Source: Cybersecurity News