In recent months, a sophisticated cyber campaign known as Operation Silk Lure has been identified, targeting Chinese financial technology and trading firms. This operation leverages Windows Task Scheduler to deploy a new variant of the ValleyRAT malware, demonstrating advanced persistence and evasion techniques.
Initial Attack Vector: Spear-Phishing Emails
The campaign initiates with spear-phishing emails that contain malicious LNK (shortcut) files disguised as job applicant resumes. When recipients open these attachments, an obfuscated PowerShell command is executed, which silently downloads a decoy document along with two executables: a loader named `keytool.exe` and a side-loaded DLL named `jli.dll`. This method effectively deceives users and initiates the malware deployment process.
Establishing Persistence: VBScript and Scheduled Tasks
To maintain a foothold on the compromised system, the malware employs a VBScript named `CreateHiddenTask.vbs`. This script is written to the user’s AppData folder and executed to create a scheduled task named Security. Notably, the task is registered with Microsoft Corporation as the author, adding a layer of legitimacy. The script then deletes itself to minimize detection. The scheduled task is configured to run daily at 8:00 AM, ensuring the loader (`keytool.exe`) is executed consistently, even after system reboots.
Execution and Payload Deployment
Upon execution, `keytool.exe` utilizes DLL side-loading to run `jli.dll`. This DLL searches for an 8-byte marker within its own file, extracts the subsequent encrypted payload, and decrypts it using the RC4 algorithm with a hard-coded key. The decrypted shellcode is then injected directly into memory, establishing communication with a command-and-control (C2) server located at 206.119.175.16. This connection initiates reconnaissance activities and data exfiltration.
Malware Capabilities and Evasion Techniques
Once operational, ValleyRAT conducts extensive data harvesting and employs various defense evasion strategies. It collects detailed information about the host system, including CPU specifications, screen resolution, and network interface card (NIC) details. Additionally, it checks for the presence of virtualization environments and known antivirus products using Windows Management Instrumentation (WMI) queries. If security services such as 360Safe and Kingsoft are detected, the malware forcibly terminates their network connections. All gathered data is logged and transmitted covertly over HTTPS, increasing the risk of credential theft and corporate espionage.
Technical Breakdown: Infection Chain and Persistence Mechanism
A deeper analysis of the infection chain reveals the sophistication of the persistence mechanism employed by Operation Silk Lure. The VBScript responsible for registering the scheduled task leverages Component Object Model (COM) interfaces to interact with the Task Scheduler. Below is a core snippet from `CreateHiddenTask.vbs`:
“`vbscript
Set service = CreateObject(Schedule.Service)
service.Connect
Set rootFolder = service.GetFolder(\)
Set taskDef = service.NewTask(0)
With taskDef.RegistrationInfo
.Author = Microsoft Corporation
End With
With taskDef.Triggers.Create(1) ‘ DAILY trigger
.StartBoundary = 2025-08-01T08:00:01
.DaysInterval = 1
End With
With taskDef.Actions.Create(0) ‘ EXEC action
.Path = ExpandEnvironmentStrings(%APPDATA%\keytool.exe)
End With
rootFolder.RegisterTaskDefinition Security, taskDef, 6, , , 3
“`
This script programmatically registers a daily scheduled task named Security, set to execute `keytool.exe` every morning at 8:00 AM. By embedding author metadata and deleting the script post-execution, the threat actors effectively blend their activities into normal system operations, complicating forensic investigations.
Implications and Recommendations
The combination of LNK-based initial compromise, VBScript-driven persistence, and DLL side-loading employed in Operation Silk Lure underscores the evolving sophistication of cyber threats. Organizations, particularly those in the fintech and trading sectors, should implement the following measures to mitigate such risks:
1. User Education and Awareness: Train employees to recognize and report phishing attempts, especially those involving unexpected attachments or links.
2. Email Filtering and Attachment Scanning: Deploy advanced email filtering solutions to detect and block malicious attachments and links before they reach end-users.
3. Endpoint Detection and Response (EDR): Utilize EDR solutions to monitor and respond to suspicious activities, such as unauthorized scheduled tasks or unusual PowerShell executions.
4. Regular System Audits: Conduct periodic audits of scheduled tasks and system logs to identify and remediate unauthorized changes or anomalies.
5. Patch Management: Ensure that all systems are up-to-date with the latest security patches to mitigate vulnerabilities that could be exploited by malware.
By adopting a comprehensive cybersecurity strategy that includes these measures, organizations can enhance their resilience against sophisticated campaigns like Operation Silk Lure.
