Cybercriminals Deploy ValleyRAT via Fake Huorong Antivirus Website
In a sophisticated cyberattack, threat actors have created a counterfeit version of the Huorong Security antivirus website to distribute ValleyRAT, a Remote Access Trojan (RAT) built on the Winos4.0 framework. This campaign is attributed to the Silver Fox Advanced Persistent Threat (APT) group, known for disseminating trojanized versions of popular Chinese software.
Huorong Security and the Deceptive Domain
Huorong Security, or 火绒 in Chinese, is a widely used free antivirus product in mainland China. The attackers registered the domain huoronga[.]com, a near-identical replica of the legitimate huorong.cn, differing only by an additional letter ‘a’. This typosquatting technique exploits users who mistype the URL or follow phishing links, leading them to a convincingly fraudulent site.
Infection Chain and Payload Delivery
Analysts from Malwarebytes uncovered the full infection chain. When users click the download button on the fake site, their request is covertly redirected through an intermediary domain before delivering the payload from Cloudflare R2 storage. The downloaded file, named BR火绒445[.]zip, incorporates Huorong’s Chinese name to maintain the ruse until execution.
Attack Methodology
This attack does not exploit zero-day vulnerabilities but relies on a convincing website, a realistic installer, and the likelihood that users will click the first search result. By masquerading as a security product, the deception becomes more effective, targeting individuals actively seeking to protect their systems.
Capabilities of ValleyRAT
Once installed, ValleyRAT enables attackers to monitor victims, steal sensitive data, and remotely control compromised systems. The malware captures keystrokes, accesses browser cookie files, gathers system information, and injects code into other processes for stealthy execution. Its modular design allows for the download of additional capabilities on demand, complicating the assessment of an infection’s full scope.
Persistence and Evasion Techniques
After installation, ValleyRAT uses PowerShell commands to instruct Windows Defender to ignore its persistence directory (`AppData\Roaming\trvePath`) and its main process (`WavesSvc64.exe`). It establishes a scheduled task named “Batteries” at `C:\Windows\Tasks\Batteries.job`, ensuring the malware runs on every system boot and reconnects to its command-and-control (C2) server at 161.248.87[.]250 over TCP port 443.
To evade detection, the malware deletes and rewrites its core files, checks for debuggers and virtual machine environments before full deployment, and stores encoded C2 domain information in the registry under `HKCU\SOFTWARE\IpDates_info`.
Indicators of Compromise (IOCs)
– Fake Domains:
– huoronga[.]com
– huorongcn[.]com
– huorongh[.]com
– huorongpc[.]com
– huorongs[.]com
– Redirect Domain:
– hndqiuebgibuiwqdhr[.]cyou
– Payload Host:
– pub-b7ce0512b9744e2db68f993e355a03f9.r2[.]dev
– C2 IP:
– 161.248.87[.]250 (TCP 443)
– Encoded C2 Domain:
– yandibaiji0203[.]com
– SHA-256 Hashes:
– NSIS Installer: 72889737c11c36e3ecd77bf6023ec6f2e31aecbc441d0bdf312c5762d073b1f4
– WavesSvc64.exe: db8cbf938da72be4d1a774836b2b5eb107c6b54defe0ae631ddc43de0bda8a7e
– DuiLib_u.dll: d0ac4eb544bc848c6eed4ef4617b13f9ef259054fe
Recommendations for Mitigation
Organizations should implement the following measures to mitigate the risk of this malware campaign:
1. Block Outbound Connections: Prevent connections to the C2 IP address 161.248.87[.]250.
2. Audit Defender Exclusions: Review Windows Defender exclusions for unauthorized changes, particularly for directories like `AppData\Roaming\trvePath` and processes such as `WavesSvc64.exe`.
3. Monitor Scheduled Tasks: Search for the “Batteries” scheduled task in `C:\Windows\Tasks\Batteries.job` as an indicator of compromise.
4. Inspect File Directories: Examine endpoints for the presence of the `%APPDATA%\trvePath\` directory, which may indicate infection.
5. User Education: Educate users on the risks of typosquatting and the importance of verifying website URLs before downloading software.
By implementing these measures, organizations can enhance their defenses against this and similar malware campaigns.
