Fake Huorong Download Site Used to Deploy ValleyRAT Backdoor in Targeted Malware Campaign

In order to fool users into downloading ValleyRAT, a Remote Access Trojan (RAT) based on the Winos4.0 framework, a group of attackers created a phony version of the Huorong Security antivirus website This article explores chinese huorong security. . The Silver Fox APT group, a Chinese-speaking threat actor that disseminates trojanized versions of well-known Chinese software, is connected to the campaign.

Known as 火绒 in Chinese, Huorong Security is a free antivirus program that is popular throughout China's mainland. With just one extra letter added at the end, the attackers registered huoronga[. ]com, which is an almost exact replica of the authentic huorong.cn. This typosquatting technique detects users who enter the address incorrectly or click on a phishing link.

The majority of visitors would not suspect anything because the page appears so convincing.

False Huorong Security website (source: Malwarebytes) When a visitor clicks the download button, the request is silently routed through an intermediary domain before the payload is served from Cloudflare R2 storage, according to Malwarebytes analysts who have identified the entire infection chain. Huorong's Chinese name is used in the file, BR����445[. ]zip, to maintain the disguise until the point of execution.

One more phony Huorong Security website (Malwarebytes). A zero-day exploit is not necessary for the attack to function. A realistic installer, a compelling website, and the presumption that many users just click on the first search result are all necessary. The deception is even more successful because the lure is a security product, which targets individuals who are actively attempting to defend themselves.

After installing ValleyRAT, attackers have the ability to remotely control the compromised system, monitor victims, and steal confidential information. Keystrokes are recorded, browser cookie files are read, system information is retrieved, and code is injected into other processes for covert execution. Because of its modular design, which makes it possible to download extra features as needed, it is challenging to gauge the complete extent of an infection.

Evasion and Persistence Strategies Once access has been obtained, ValleyRAT uses PowerShell to tell Windows Defender to disregard its main process (WavesSvc64.exe) and persistence directory (AppData\Roaming\trvePath). After that, a scheduled task called "Batteries" is created at C:\Windows\Tasks\Batteries.job, which reconnects to its C2 server at 161.248.87[. ]250 via TCP port 443 and reruns the malware on each system boot.

The malware rewrites and removes its own core files to stay hidden and evade signature detection. Before fully deploying, it also looks for virtual machine environments and debuggers. The registry's HKCU\SOFTWARE\IpDates_info contains configuration data, including the encoded C2 domain yandibaiji0203[.]com.

Businesses should audit Defender exclusions for unauthorized changes, block outgoing connections to 161.248.87[. ]250, and search endpoints for the %APPDATA%\trvePath\ directory and the scheduled task "Batteries" as indicators of infection.

Indicators of Compromise (IOCs) Type Indicator Fake Domain huoronga[. ]com Fake Domain huorongcn[. ]com Fake Domain huorongh[.

]com Fake Domain huorongpc[. ]com Fake Domain huorongs[. ]com Redirect Domain hndqiuebgibuiwqdhr[. ]cyou Payload Host pub-b7ce0512b9744e2db68f993e355a03f9.r2[.

]dev C2 IP 161.248.87[. ]250 (TCP 443) Encoded C2 Domain yandibaiji0203[. ]com SHA-256 — NSIS Installer 72889737c11c36e3ecd77bf6023ec6f2e31aecbc441d0bdf312c5762d073b1f4 SHA-256 — WavesSvc64.exe db8cbf938da72be4d1a774836b2b5eb107c6b54defe0ae631ddc43de0bda8a7e SHA-256 — DuiLib_u.dll d0ac4eb544bc848c6eed4ef4617b13f9ef259054fe9e35d9df02267d5a1c26b2 SHA-256 — WinosStager DLL #1 07aaaa2d3f2e52849906ec0073b61e451e0025ef2523dafbd6ae85ddfa587b4d SHA-256 — WinosStager DLL #2 66e324ea04c4abbad6db4f638b07e2e560613e481ff588e0148e33e23a5052a9 SHA-256 — WinosStager DLL #3 47df12b0b01ddca9eb116127bf84f63eb31e80cec33e4e6042dff1447de8f45f Scheduled Task C:\Windows\Tasks\Batteries.job Persistence Directory %APPDATA%\trvePath\ Registry Key HKCU\SOFTWARE\IpDates_info Registry Key HKCU\Console\0\451b464b7a6c2ced348c1866b59c362e Log File C:\ProgramData\DisplaySessionContainers.log, LinkedIn, and X to Get More Instant Updates, Set ZeroOwl as a Preferred Source in Google.