Researchers have come across a new email phishing campaign that distributes a new ValleyRAT malware alongside Sainbox RAT and Purple Fox malware onto the victim’s systems.
The campaign uses a variety of infrastructure, sender domains, and invoice-themed email lures to deliver the malware families.
- In one instance, the emails pretended to be from Chinese offices and invoicing companies to trick users into downloading Sainbox RAT onto their systems.
- These attacks—launched between December 2022 and May 2023—against dozens of companies including those in the manufacturing and technology sectors.
- Similarly, the ValleyRAT was observed being used as part of the campaign since March, with six attacks launched so far.
Know about ValleyRAT
- Written in C++ and compiled in Chinese language, ValleyRAT includes the functionalities of a typical remote access trojan.
- It uses raw sockets with a custom protocol to communicate with the C2 server.
- Upon execution, it uses the MD5 algorithm to encrypt and send system information such as OS information, kernel version, CPU name, architecture, and hardware profile.