Full Report
Cybereason Security Services issue Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them. In this Threat Analysis report, Cybereason Security Services investigates a fake installer attack we recently observed multiple times. We identified some findings that have not been documented in previous reports and obtained new threat intelligence insights from the malwares.
Analysis Summary
# Tool/Technique: ValleyRAT (Winos 4.0) / Fake Installer Campaign
## Overview
This report details an ongoing campaign involving malware disguised as legitimate software installers (specifically observed impersonating the LINE installer) which ultimately deploys the **ValleyRAT** malware (also known as Winos 4.0). The campaign appears to target Chinese-speaking users and utilizes obfuscated techniques for execution and persistence.
## Technical Details
- **Type:** Malware Family (ValleyRAT) / Attack Framework (Fake Installer built with NSIS)
- **Platform:** Windows (Inferred from use of PowerShell, rundll32.exe, .ini files, and AppData directories)
- **Capabilities:** Initial deployment via fake installer, execution of payloads via DLLs and shellcode, C2 communication, execution of previously undocumented code injection methods (PoolParty Variant 7), and persistence setup.
- **First Seen:** ValleyRAT first identified in 2023. Increased activity observed starting early 2025.
## MITRE ATT&CK Mapping
Based on described behaviors (installer execution, file dropping, persistence mechanism usage):
- **TA0001 - Initial Access**
- T1588.002 - Obtain Capabilities: Supply Chain Compromise (Via fake installer distribution)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0003 - Persistence**
- T1053.005 - Scheduled Task/Job: Scheduled Task
- **TA0004 - Privilege Escalation**
- T1548.002 - Bypass User Account Control (Implicitly via UAC difference noted)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Use of .ini files for shellcode/config)
- T1071.001 - Application Layer Protocol: Web Protocols (C2 communication)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
## Functionality
### Core Capabilities
- **Initial Infection:** Delivered via highly convincing fake installers (e.g., LINE installer) created using NSIS.
- **Payload Staging:** Drops multiple files, including DLLs (`intel.dll`, `chrmstp.exe`), configuration files (`config.ini`, `config2.ini`, `Sangee.ini`), and PowerShell scripts (`updated.ps1`).
- **Execution Chain:** Execution of the fake installer spawns PowerShell (to exclude drives from Windows Defender scans), `rundll32.exe` loading `intel.dll`, and `chrmstp.exe`.
- **Shellcode Loading:** `intel.dll` and `chrmstp.exe` read and execute shellcode from configuration files (`.ini` files).
- **Watchdog Mechanism:** Included code functions as a watchdog for `config.ini` to maintain persistence or functionality.
- **Persistence:** Utilizes similar Task Scheduler XML configuration files and PowerShell scripts as other malware targeting Chinese-speaking users.
### Advanced Features
- **Code Injection:** Identified use of **code injection using the PoolParty Variant 7**.
- **Data Exfiltration/Downloading:** The malware attempts to download and execute a binary from the C2 server.
- **New Capabilities:** The analysis revealed several undocumented features, including the PoolParty Variant 7 injection method.
## Indicators of Compromise
- **File Hashes (SHA-1):**
- `b02a99344f2fa81636ad913f805b52051debe529` (Fake Installer: LineInstaller.exe)
- `b4feadbada51e68852a8a732f0e79ae725a755a4` (intel.dll)
- `51330636e299128c026c77cbc77dc24f3db49336` (Config2.ini)
- `9120e22231ea9f597d8bb62d46e4775bd3fe5ccb` (Config2.ini)
- `fab0802c3978f096223ff3b29188c3617e3cfa62` (chrmstp.exe)
- `da64ac77059050fdf30143da3671d41fff872689` (Sangee.ini)
- `8e7e3a910f06310ca9fe1d07fd1a4208eeb53a25` (PolicyManagement.xml)
- `2fd374f17e059cb16e530c3b73b883d5c57ce0f0` (updated.ps1)
- **File Names:** LineInstaller.exe, intel.dll, chrmstp.exe, updated.ps1, PolicyManagement.xml.
- **Registry Keys:** Not explicitly listed, but persistence uses Task Scheduler configuration files (XML).
- **Network Indicators:**
- C2 Server 1: `143.92.38[.]217:18852`
- C2 Server 2: `206.238.221[.]165:443`
- **Behavioral Indicators:**
- Dropping associated files into `%AppData%\TrustAsia` and folders under `%LOCALAPPDATA%`.
- Use of `rundll32.exe intel.dll` and `chrmstp.exe`.
- PowerShell scripts excluding drives from Windows Defender scanning.
## Associated Threat Actors
- **Silver Fox APT** (Believed primary associate of ValleyRAT).
## Detection Methods
- **Signature-based detection:** Hash matching for the listed IOCs.
- **Behavioral detection:** Monitoring for NSIS processes dropping suspicious DLLs/scripts, execution chains involving `rundll32.exe` loading non-standard DLLs, and suspicious PowerShell execution involving environmental exclusion.
- **YARA rules:** Not provided in the summary text.
## Mitigation Strategies
1. **Verify Software Sources:** Only download software from official, known-good vendor websites.
2. **Certificate Validation:** Do not run executables lacking valid or verifiable certificates. Invalid certificates result in a UAC prompt showing an "unknown publisher." If this occurs, cancel execution.
3. **Certificate Enforcement (Organizational):** Configure endpoints to enforce policies that only allow executables signed with trusted certificates to run, providing a system-level reliability layer that bypasses user oversight.
4. **Publisher Verification:** Always confirm that the certificate publisher name matches the actual software vendor before execution.
## Related Tools/Techniques
- Other fake installers reported impersonating LetsVPN.
- Prior ValleyRAT techniques leveraging HTTP File Server exploitation and DLL sideloading.
- Recent ValleyRAT attacks using Microsoft-signed drivers.