Silver Fox Targets Indian Users With Tax-themed Emails Delivering...

The threat actor known as Silver Fox has turned its focus to India, using income tax-themed lures in phishing campaigns to distribute a modular remote access trojan called ValleyRAT (aka Winos 4.0).

"This sophisticated attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence," CloudSEK researchers Prajwal Awasthi and Koushik Pal said in an analysis published last week.

Also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne, Silver Fox is the name assigned to an aggressive cybercrime group from China that has been active since 2022.

It has a track record of orchestrating a variety of campaigns whose motives range from espionage and intelligence collection to financial gain, cryptocurrency mining, and operational disruption, making it one of the few hacking crews with a multi-pronged approach to their intrusion activity.

Primarily focused on Chinese-speaking individuals and organisations, Silver Fox's victimology has broadened to include organizations operating in the public, financial, medical, and technology sectors. Attacks mounted by the group have leveraged search engine optimization (SEO) poisoning and phishing to deliver variants of Gh0st RAT such as ValleyRAT, Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).

In the infection chain documented by CloudSEK, phishing emails containing decoy PDFs purported to be from India's Income Tax Department are used to deploy ValleyRAT. Specifically, opening the PDF attachment takes the recipient to the "ggwk[.]cc" domain, from where a ZIP file ("tax affairs.zip") is downloaded.

Present within the archive is a Nullsoft Scriptable Install system (NSIS) installer of the same name ("tax affairs.exe"), which, in turn, leverages a legitimate executable associated with Thunder ("thunder.exe"), a download manager for Windows developed by Xunlei, and a rogue DLL ("libexpat.dll") that's sideloaded by the binary.

The DLL, for its part, disables the Windows Update service and serves as a conduit for a Donut loader, but not before performing various anti-analysis and anti-sandbox checks to ensure that the malware can run unimpeded on the compromised host. The lander then injects the final ValleyRAT payload into a hollowed "explorer.exe" process.

ValleyRAT is designed to communicate with an external server and await further commands. It implements a plugin-oriented architecture to extend its functionality in an ad hoc ma

Source: The Hacker News