A series of attacks targeting Chinese-speaking regions has been identified, utilizing a multi-stage loader named PNGPlug to deliver ValleyRAT payload. The attack begins with a phishing webpage encouraging victims to download a malicious MSI package disguised as legitimate software. The installer deploys a benign application and extracts an encrypted archive containing malware components. The PNGPlug loader sets up the environment for malware execution, including patching ntdll.dll and injecting payloads from PNG files. ValleyRAT, attributed to the Silver Fox APT, employs advanced techniques like shellcode execution, obfuscation, and persistence mechanisms. The campaign stands out due to its focus on Chinese-speaking victims across China, Hong Kong, and Taiwan, treating these regions as a unified target despite their political differences. Author: AlienVault
Related Tags:
gh0st RAT – S0032
China
Gh0st RAT
Taiwan
espionage
Hong Kong
T1573
T1112
T1204
Associated Indicators:
6D2A4D9E2FC6E4DAC2C426851B4BDF86DD63A5515D8D853E622A0BC01D250CE9
70FACC8AD5DB172E235B4CC720A0EDAEDD4470B8A6EC5DA8DEE2758F4A1AAFEF
50A64E97C6A5417023F3561F33291B448CE830A4D99C40356AF67301C8FA7523
E9E4751C88D3A1A4BFDD5D07BB35636787B0D6FBF68B17642D3FE03CBE5EBF70
5F9A5AD43A9F79976CD7014CE072429EF2EDBAE872B4226372CFB07D8A86B8A5
C497506FE2DF57C39FCF92398F4864CA4BFCB1A6F2F80C3C520166BC61882855
9AEA0FDFEAD2E956BC0B4574C2B4CB2855DD9DF6A5FD61D350F3285D249ADFCA
FA26722E99763A29AF160FAE64183A47A57362B666753624B78E954C8CDE0525
9D97F3F55BC647911E14A36C83F263E91662CF9D13A2FC3EC7C92DEDB8977D37