Threat actors are disseminating the ValleyRAT backdoor under the guise of a genuine installer for the well-known messaging app LINE in a sophisticated malware campaign This article explores cybereason malware uses. . This targeted attack uses a malicious executable to infiltrate systems and compromise sensitive login credentials, with a primary focus on Chinese-speaking users.

To avoid detection and gain a firm foothold on the victim's computer for long-term surveillance, the malware uses a complicated loading chain that includes shellcode execution and genuine system binaries. Learn more Reports on security vulnerabilities Protection against phishing Evaluation of cybersecurity vulnerabilities Use Security of computers Courses for cybersecurity education Consulting for computer security Cyber Ransomware in secure messaging apps The phony installer starts a multi-phase infection process that circumvents endpoint security measures when it is executed.

By excluding entire system drives from antivirus scanning protocols using PowerShell commands, it tries to disable Windows Defender right away. Cybereason is the source of the attack flow. At the same time, it installs a malicious library called intel.dll that conducts thorough environmental checks.

To ascertain whether the code is operating in a sandbox, these checks entail file locking and mutex creation. The malware unpacks its main payload and turns the device into a fully compromised node if the environment is judged safe. Learn more News stories about cybersecurity Training in security awareness News alert hacking Cybersecurity Take advantage of Courses for cybersecurity education Software for data security Security plugin for WordPress Security of computers Feeds of threat intelligence Analysts at Cybereason discovered this campaign and observed that the malware makes use of the sophisticated PoolParty Variant 7 injection method.

By using this technique, attackers can conceal malicious activity within trusted system processes, making detection much more difficult. The malware can operate covertly while gathering user credentials and sustaining continuous communication with command-and-control servers by inserting code into legitimate processes through the abuse of Windows I/O completion ports. Advanced Mechanisms of Injection and Persistence The evasion and persistence tactics of this ValleyRAT variant best demonstrate its technical complexity.

The malware uses UserAccountBroker.exe as a watchdog to make sure malicious components stay active after injecting code into Explorer.exe and UserAccountBroker.exe. The outcome of the sysinternal tool sigcheck.exe's execution (Source: Cybereason) By using particular Windows APIs, such as ZwSetIoCompletion, to manipulate system handles, this injection enables threat actors to run code inside the memory space of trusted processes.

Fake Installer's GUI (Source: Cybereason) In order to blind local defenses, the malware also actively searches for security products from suppliers like Qihoo 360 and cuts off their network connections. result of certutil.exe's execution (Source: Cybereason) The malware uses Remote Procedure Call (RPC) protocols to register scheduled tasks in order to remain persistent, guaranteeing that they will run automatically when the user logs in. Additionally, even though the signature is cryptographically invalid, it appears authentic by using a digital certificate issued to "Chengdu MODIFENGNIAO Network Technology Co., Ltd." Users must only download installers from authorized sources in order to avoid infection.

Security teams should set up detection rules to highlight invalid certificates and keep an eye out for questionable child processes that Explorer.exe spawns, like UserAccountBroker.exe, which could be a sign of process hollowing activity.