SilverFox Deploys Multi-Stage ValleyRAT with Advanced Evasion Techniques

A sophisticated malware campaign orchestrated by the SilverFox hacking group has been identified, deploying a multi-stage remote access trojan (RAT) known as ValleyRAT. This campaign employs advanced evasion techniques, including DLL sideloading, steganography, and kernel-level rootkits, to infiltrate and persist within targeted systems.

Complex Infection Chain

The attack initiates with DLL sideloading, where a malicious DLL is loaded alongside a legitimate, signed application. This method allows the malware to execute without raising immediate suspicion. Once active, the malware disables logging tools and antivirus scanning to evade detection.

Subsequently, the malware utilizes steganography, embedding additional payloads within the pixel data of seemingly innocuous PNG images. This technique is employed multiple times throughout the infection chain, effectively concealing the malicious code from traditional security measures.

After escalating privileges, the malware extracts another payload from a second image and employs a loader called Donut to execute shellcode in memory, minimizing on-disk artifacts and further complicating detection efforts.

Deployment of Go-Based RAT and Kernel Rootkit

ValleyRAT then deploys a RAT written in the Go programming language, which communicates with command and control (C2) servers over WebSocket and QUIC protocols. These protocols are chosen for their ability to blend into normal web traffic, reducing the likelihood of detection.

The RAT injects a tool designed to disable antivirus software into ‘svchost’, a core Windows process, thereby neutralizing security defenses. Finally, a kernel-level rootkit is installed, supporting over 65 command codes and receiving instructions from the RAT through named pipes, a method typically used for inter-process communication.

Data Theft and Persistence Mechanisms

Beyond establishing control, ValleyRAT is engineered for data theft. It monitors the clipboard for cryptocurrency wallet addresses, replacing them with addresses controlled by the attackers, a tactic that has previously resulted in significant financial losses for victims.

The malware also targets data stored by the Telegram messaging application on infected machines, granting attackers access to private conversations and sensitive information.

To maintain persistence, the malware employs multiple techniques, including modifying system configurations and creating scheduled tasks, ensuring continued access to compromised systems even after reboots or security updates.

SilverFox’s deployment of ValleyRAT underscores the increasing sophistication of cyber threats, particularly those involving multi-stage infection chains and advanced evasion techniques. Organizations must adopt comprehensive security strategies, including behavioral analysis and anomaly detection, to effectively counter such complex attacks.