Bogus websites claiming to offer Google Chrome have been identified as vehicles for distributing the ValleyRAT malware, a remote access trojan. First detected in 2023, this malware is linked to a group known as Silver Fox, which has previously focused on Chinese-speaking areas such as Hong Kong, Taiwan, and Mainland China.

According to Shmuel Uzan from Morphisec, this threat actor has strategically targeted critical positions within organizations—especially in finance, accounting, and sales—aiming for individuals with access to sensitive information.

The malware’s distribution methods have varied, with early attacks including the delivery of ValleyRAT alongside other malware types such as Purple Fox and Gh0st RAT, a malware widely utilized by various Chinese hacking groups. Recently, fraudulent software installers have also been used to spread the trojan via a DLL loader named PNGPlug.

The current approach involves creating fake Chrome websites that deceive users into downloading a ZIP archive containing an executable named "Setup.exe." In a statement, Morphisec’s CTO Michael Gorelik pointed out that the malicious Google Chrome installation site has previously been exploited to distribute the Gh0stRAT payload.

The operation primarily targets Chinese-speaking users, as indicated by the utilization of Chinese languages in their deceptive tactics and applications designed for stealing data while avoiding detection. Links directing users to these fraudulent Chrome sites are frequently disseminated through drive-by download schemes. When unsuspecting users look for Chrome on search engines, they are led to these malicious sites, where they can unintentionally download the fake installer.

Once executed, the installer checks for administrative rights before downloading four additional payloads, including a legitimate executable tied to Douyin, the Chinese counterpart of TikTok. This executable is then used to load a rogue DLL, triggering the ValleyRAT malware.

ValleyRAT, crafted in Chinese and developed in C++, functions as a trojan designed to log keystrokes, monitor screen activity, and ensure its persistence on the infected device. The malware can communicate with a remote server to receive further instructions, enabling it to enumerate processes and execute arbitrary DLLs and executables.

The attackers have been noted for exploiting legitimate signed executables that are vulnerable to DLL search order hijacking for payload injection, emphasizing the evolving techniques employed by cybercriminals.

This information follows recent reports from Sophos regarding phishing efforts utilizing SVG attachments to bypass detection and deliver various types of malware, including keystroke loggers or redirecting users to phishing sites for credential theft.

Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.