ValleyRAT Malware Exploits Stealthy Driver Installation to Evade Windows 11 Security
ValleyRAT, also referred to as Winos or Winos4.0, has surfaced as a highly sophisticated backdoor targeting organizations globally. This modular malware family poses a significant threat to Windows systems, especially those running Windows 11 with the latest security updates.
The cybersecurity landscape has undergone a notable shift following the public leak of the ValleyRAT builder and its development framework. This leak has democratized access to the malware, extending its reach beyond the Chinese-speaking groups traditionally linked to its deployment.
ValleyRAT’s attack vectors are particularly alarming due to their multi-level system operations. As a comprehensive remote access trojan (RAT), it can deploy various plugins to compromise victim systems.
The initial infection phase typically involves first-stage plugins like the Online Module or Login Module, which serve as beacons to the command-and-control (C2) server. These modules facilitate the retrieval and loading of additional specialized plugins, enabling attackers to progressively deepen their foothold within compromised networks.
Attackers selectively deploy advanced components based on the perceived value of the target, meaning many infected systems may only receive basic functionalities. This architecture reflects a sophisticated understanding of Windows internals.
Security analysts at Check Point have identified that the developers behind ValleyRAT possess deep knowledge of both kernel-mode and user-mode mechanisms. This indicates a tightly coordinated development team with advanced reverse-engineering capabilities, rather than a loosely assembled group of contributors.
The Kernel Rootkit Mechanism
One of the most concerning aspects of ValleyRAT is its embedded kernel-mode rootkit driver, contained within the Driver Plugin. This rootkit retains valid signatures, allowing it to be loaded on fully updated Windows 11 systems, effectively bypassing modern protection features. This technique exposes a significant security gap that is troubling for defenders worldwide.
Check Point researchers have observed that approximately 85% of detected ValleyRAT samples appeared in the last six months, coinciding with the public release of the builder.
The rootkit employs stealthy driver installation capabilities combined with user-mode shellcode injection via asynchronous procedure calls. The malware aggressively deletes antivirus and endpoint detection and response (EDR) drivers from systems, specifically targeting security solutions from vendors such as Qihoo 360, Huorong Security, Tencent, and Kingsoft Corporation. This deliberate removal of security tools creates an unprotected environment, allowing attackers to operate without hindrance.
The public availability of the ValleyRAT builder and development structure has fundamentally altered the threat landscape. Attribution has become increasingly complex, as any actor can now compile, modify, and deploy ValleyRAT independently. This shift from a threat linked to specific actors to an openly available malware framework suggests that future activity will likely escalate, with more threat groups experimenting with the leaked tools.
Organizations must implement robust detection systems and maintain updated security measures to counter this evolving threat.
