Cybercriminals always find new ways to target unsuspecting users. Fake Google Chrome websites are their latest tool for spreading ValleyRAT malware. This dangerous malware first appeared in 2023. A group called Silver Fox often targets Chinese-speaking regions like Hong Kong, Taiwan, and Mainland China.
These hackers focus on high-value positions such as finance, accounting, and sales. They aim to steal sensitive data by using a technique called DLL hijacking. This article will explain how they do it and how you can protect yourself from such attacks.
What is ValleyRAT Malware?
ValleyRAT is a remote access trojan (RAT) written in C++. It can monitor screens, log keystrokes, and maintain persistence. It communicates with a remote server to execute harmful tasks. Attackers use this malware to control infected systems and steal sensitive information.
Attackers often distribute ValleyRAT with other dangerous malware like Purple Fox and Gh0st RAT. Chinese hacking groups commonly use these malware families for data theft.
How Fake Chrome Sites Spread ValleyRAT
Attackers use fake Google Chrome websites to lure users into downloading malware. These websites appear legitimate but contain a malicious installer. When a user searches for Chrome, they may land on one of these fake sites and download a ZIP file.
The ZIP file contains an executable named “Setup.exe.” Once executed, it downloads four additional payloads, including a legitimate application named Douyin.exe (Chinese TikTok version). This app is used to sideload a rogue DLL called tier0.dll, which launches ValleyRAT.
Another DLL file, sscronet.dll, terminates specific processes to ensure the malware stays hidden. This sneaky approach makes detection difficult for antivirus programs.
DLL Hijacking: How Attackers Bypass Security
DLL hijacking is a method where attackers trick the system into loading a malicious DLL file instead of a legitimate one. In the ValleyRAT attack, they use signed executables that are vulnerable to DLL search order hijacking.
The malicious DLL is executed along with the legitimate application. This allows the malware to perform harmful activities without raising alarms.
Also read | Hackers Use Fake Google Ads to Steal Microsoft Accounts
Targeting High-Value Positions
Silver Fox focuses on key roles within organizations. Their primary targets are finance, accounting, and sales departments. People in these positions often have access to critical business data.
Morphisec researchers noticed that attackers carefully plan these attacks. They aim to infiltrate organizations and steal sensitive information without detection.
Drive-By Download Scheme
The links to fake Chrome sites are mostly shared through drive-by download schemes. In this method, users searching for Chrome are directed to these malicious sites. They unknowingly download the fake installer, trusting it as legitimate software.
This tactic works because users believe they are downloading the actual Chrome browser. Unfortunately, this mistake allows malware to infect their devices.
How ValleyRAT Works After Infection
Once ValleyRAT infects a system, it performs several malicious tasks:
- Monitoring screen content – The malware captures what’s displayed on the user’s screen.
- Keystroke logging – It records every keystroke, including sensitive information like passwords.
- Process enumeration – ValleyRAT scans for active processes and terminates specific ones to avoid detection.
- Payload injection – The malware downloads and executes additional malicious DLLs and binaries.
- Persistence – It ensures it remains active on the infected system.
This malware communicates with a remote server to receive further instructions. This gives attackers full control over the compromised system.
Also read | Fake CAPTCHA Spreads Lumma Stealer in Multi-Industry Attacks
Connection to Gh0st RAT and PNGPlug
The ValleyRAT campaign is similar to previous attacks using Gh0st RAT. These earlier attacks also used fake Chrome installers to distribute malware.
The recent attacks involve a DLL loader called PNGPlug. This loader helps deploy ValleyRAT and other malware. Researchers found evidence connecting these campaigns, indicating that the same group is behind them.
Real-World Example
Morphisec CTO Michael Gorelik confirmed that fake Chrome installer sites were used to distribute Gh0st RAT in earlier attacks. He also shared that the recent attacks specifically targeted Chinese-speaking users.
These attackers used Chinese-language web lures to trick victims into downloading the malware. The setup binary checks for administrator privileges before executing its tasks. This sophisticated approach ensures the malware operates efficiently.
How to Stay Safe
You can protect yourself by following these simple steps:
- Download software only from official websites.
Always visit official websites like google.com to download applications. Avoid third-party sites. - Use antivirus software.
Reliable antivirus software can detect and block malicious installers. Keep it updated. - Be cautious of drive-by downloads.
Do not click on unknown links. Avoid downloading files from unfamiliar sources. - Regularly update your system.
Security updates fix vulnerabilities that malware can exploit. - Monitor unusual behavior on your system.
If your system behaves strangely, scan it for malware immediately.
Conclusion
ValleyRAT malware is a growing threat. Cybercriminals use fake Google Chrome sites and DLL hijacking to infect users’ systems. These attacks are sophisticated and carefully targeted.
Protect yourself by downloading software only from trusted sources. Stay alert and follow cybersecurity best practices. With the right precautions, you can avoid falling victim to these harmful attacks.
