A series of attacks targeting Chinese-speaking regions has been identified, utilizing a multi-stage loader named PNGPlug to deliver ValleyRAT payload. The attack begins with a phishing webpage encouraging victims to download a malicious MSI package disguised as legitimate software. The installer deploys a benign application and extracts an encrypted archive containing malware components. The PNGPlug loader sets up the environment for malware execution, including patching ntdll.dll and injecting payloads from PNG files. ValleyRAT, attributed to the Silver Fox APT, employs advanced techniques like shellcode execution, obfuscation, and persistence mechanisms. The campaign stands out due to its focus on Chinese-speaking victims across China, Hong Kong, and Taiwan, treating these regions as a unified target despite their political differences. Author: AlienVault
Related Tags:
gh0st RAT – S0032
China
Gh0st RAT
Taiwan
espionage
Hong Kong
T1573
T1112
T1204
Associated Indicators:
30147B6691E5BC1A15C76CEBF81B2DE77D9099E8200B6ED9742C6E3B36505F34
4D64C2D1AE0DE0F3066A6C020AB7AA5A9DD487C0CF1FF1CA2E93D98FF30E039F
3AC3CA18142A935608CB0D2C8D6421EBB9ABC30BCE93F094447B9C3F63FE791B
E49B085F5484531395B5A7903F004B2A02A2B4EBFA46116D1A665BA881B1F528
6D2A4D9E2FC6E4DAC2C426851B4BDF86DD63A5515D8D853E622A0BC01D250CE9
79ACDCA5247CA9719F2F3A34C7942CD60B209F7B616EFA5DD81E6656A8BAF9A5
33BC111238A0C6F10F6FE3288B5D4EFE246C20EFD8D85B4FE88F7D602D70738E
94FF4679DD5AEC7874354C14132701ECDFBBB558C6011E4952D13BF843255529
7C31C4D0308FB1D67F6AF48A76138A9DB19F494C1E9A12DEBDCCA7382AD5418C