Full Report
Bogus websites advertising Google Chrome have been used to distribute malicious installers for a remote access trojan called ValleyRAT. The malware, first detected in 2023, is attributed to a threat actor tracked as Silver Fox, with prior attack campaigns primarily targeting Chinese-speaking regions like Hong Kong, Taiwan, and Mainland China. "This actor has increasingly targeted key roles
Analysis Summary
# Threat Actor: Silver Fox
## Attribution & Identity
Attributed to the threat actor tracked as **Silver Fox**. The actor has prior attack campaigns primarily targeting Chinese-speaking regions.
## Activity Summary
The group is actively distributing **ValleyRAT** (a remote access trojan) by leveraging deceptive websites posing as official Google Chrome download sites. This recent campaign involves leading victims to download a ZIP archive containing a malicious installer ("Setup.exe"). The malware has been active since at least 2023.
## Tactics, Techniques & Procedures
- **Distribution:** Use of fake software websites (e.g., fake Google Chrome sites) to lure victims into drive-by downloads.
- **Initial Execution:** Victims download a malicious ZIP containing "Setup.exe".
- **Privilege Escalation/Persistence:** The executable checks for administrator privileges.
- **Payload Delivery:** Downloads four additional payloads.
- **DLL Hijacking/Sideloading:** Uses a legitimate Douyin (TikTok Chinese version) executable ("Douyin.exe") to sideload a rogue DLL ("tier0.dll"), which subsequently launches the final ValleyRAT malware.
- **Co-infection:** Earlier chains were observed delivering ValleyRAT alongside other malware like Purple Fox and Gh0st RAT.
## Targeting
- Sectors: Finance, Accounting, and Sales departments within organizations.
- Geography: Chinese-speaking regions, specifically mentioning Hong Kong, Taiwan, and Mainland China.
- Victims: Key roles within organizations holding access to sensitive data and systems.
## Tools & Infrastructure
- Malware families used: **ValleyRAT**, Purple Fox, Gh0st RAT.
- Infrastructure: The delivery mechanism involves downloading payloads, which includes a DLL named "sscronet.dll" (content truncated). A loader named **PNGPlug** was also previously associated with delivering ValleyRAT via counterfeit installers.
## Implications
Silver Fox exhibits a focused strategy targeting high-value positions (finance, accounting, sales) within organizations, suggesting an objective focused on financial fraud, data exfiltration, or corporate espionage linked to Chinese interests or markets. The sophisticated use of DLL sideloading via a legitimate, signed application increases the likelihood of evading basic security checks.
## Mitigations
- Exercise heightened caution when downloading software from third-party or non-official websites, especially for common applications like web browsers.
- Monitor for unexpected DLL loading behavior, particularly concerning legitimate executables used as loaders (e.g., "Douyin.exe").
- Implement strong application control or execution policies to restrict unauthorized DLL loading paths.
- Review security telemetry for the presence of ValleyRAT or associated indicators if targeting Chinese-speaking entities.