ValleyRAT is a sophisticated Remote Access Trojan (RAT) that surfaced in early 2023, primarily targeting Chinese-speaking users through coordinated phishing campaigns. It grants attackers complete control over infected systems, facilitating unauthorized access, surveillance, and deployment of additional malicious plugins, which further compromise the target system’s security posture.
Designed as a multi-stage, multi-component malware, ValleyRAT skillfully evades detection by gradually loading its components. This staged execution enables ValleyRAT to remain persistent on infected devices, executing malicious operations without raising immediate suspicion. Our analysis delves into several ValleyRAT variants, revealing its tactics, techniques, and procedures (TTPs) and aligning them with MITRE ATT&CK framework indicators.
Analysis of ValleyRAT TTPs
🔴 ValleyRAT Loader
ValleyRAT begins by initiating its payload via methods that ensure longevity and resistance to detection. It achieves this through:
- Startup Folder (T1547.001): ValleyRAT establishes persistence by adding entries to the Startup folder, allowing it to reinitiate every time the system boots up.
- Process Injection (T1055): Leveraging process injection tactics, ValleyRAT integrates its code into legitimate processes, masking its presence and bypassing some detection tools.
🔴 ValleyRAT Core Malware
The main component of ValleyRAT focuses on gathering intelligence from the infected system, employing:
- Query Registry (T1012): The malware frequently queries the Windows Registry, obtaining valuable information regarding system configurations and other critical details, which informs its subsequent steps in the attack chain.
🔴 Command and Control (C2)
ValleyRAT maintains an encrypted and often hidden communication channel with the attacker’s command and control (C2) server to receive instructions and exfiltrate stolen data. This is achieved through:
- Application Layer Protocol (T1071): Using standard network protocols, ValleyRAT camouflages its C2 traffic within legitimate traffic, thus evading network-based detection systems.
🔴 Privilege Escalation
ValleyRAT employs techniques to elevate its privileges within the system:
- Bypass User Account Control (T1548.002): By circumventing User Account Control (UAC), the malware ensures that it can carry out its activities with higher privileges, allowing access to sensitive system areas.
🔴 Defense Evasion
A crucial component of ValleyRAT’s design is its robust defense evasion tactics:
- Impair Defenses: Disable or Modify Tools (T1562.001): ValleyRAT disables or modifies certain security tools, reducing the likelihood of detection.
- Virtualization/Sandbox Evasion (T1497): ValleyRAT incorporates checks to detect whether it is running in a virtual environment or sandbox, ensuring it can terminate or limit activity in monitored conditions, hindering detailed analysis.
🔴 Execution
ValleyRAT also schedules tasks to ensure consistent and repeated execution, using:
- Scheduled Task/Job (T1053): By scheduling tasks, the malware can execute its payload at predefined intervals or during system events, ensuring persistent activity without user interaction.
🔴 Persistence
ValleyRAT’s persistence is strengthened through registry-based methods:
- Registry Run Keys (T1547.001): Adding entries to the Registry Run Keys, ValleyRAT secures its foothold on the system, initiating upon each reboot.
🔴 Discovery
To aid in reconnaissance, ValleyRAT probes network connectivity, determining available connections and endpoints:
- Internet Connection Discovery (T1016.001): The malware actively verifies internet connectivity, ensuring it can maintain communication with its C2 infrastructure.
ValleyRAT exemplifies the sophistication of modern RATs, utilizing an arsenal of techniques across multiple stages to evade detection, persist on infected systems, and communicate discreetly with its C2 server. Organizations should prioritize proactive defenses and implement a layered security approach. Critical steps include endpoint protection solutions with behavioral analysis, network monitoring to detect irregular C2 traffic, and robust user training against phishing campaigns.
For a complete technical breakdown and additional ValleyRAT variants, access the full report here: ValleyRAT Report
