Chinese-speaking Users Targeted with ValleyRAT and Sainbox RAT | Cyware Hacker News

Researchers have come across a new email phishing campaign that distributes a new ValleyRAT malware alongside Sainbox RAT and Purple Fox malware onto the victim’s systems. 

Active since the beginning of 2023, the campaign has been targeting Chinese-speaking users. So far, the researchers have observed over 30 attack campaigns leveraging these malware families and 20 campaigns since April 2023.

Campaign details

The campaign uses a variety of infrastructure, sender domains, and invoice-themed email lures to deliver the malware families. 

  • In one instance, the emails pretended to be from Chinese offices and invoicing companies to trick users into downloading Sainbox RAT onto their systems.
  • These attacks—launched between December 2022 and May 2023—against dozens of companies including those in the manufacturing and technology sectors.
  • Similarly, the ValleyRAT was observed being used as part of the campaign since March, with six attacks launched so far.
While a majority of lures are in Chinese, the attackers were also found using messages in Japanese to target victims. For instance, Proofpoint found at least three attacks using Japanese language invoice themes to target organizations in Japan with Purple Fox malware.

Know about ValleyRAT

  • Written in C++ and compiled in Chinese language, ValleyRAT includes the functionalities of a typical remote access trojan.
  • It uses raw sockets with a custom protocol to communicate with the C2 server. 
  • Upon execution, it uses the MD5 algorithm to encrypt and send system information such as OS information, kernel version, CPU name, architecture, and hardware profile.

The bottom line

Researchers anticipate more sophisticated attacks in the future with the appearance of ValleyRAT alongside the older malware families. Hence, organizations are advised to fortify their defense accordingly and stay prepared to tackle such threats at the early stage. To learn what’s brewing in the cybersecurity world and what are some quick actions to take to mitigate threats, situational and strategical awareness is a must.