Full Report
The threat actor known as Silver Fox has turned its focus to India, using income tax-themed lures in phishing campaigns to distribute a modular remote access trojan called ValleyRAT (aka Winos 4.0). "This sophisticated attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence," CloudSEK researchers Prajwal Awasthi and Koushik Pal said in an
Analysis Summary
# Threat Actor: Silver Fox
## Attribution & Identity
**Actor Identification:** Aggressive cybercrime group from China.
**Known Aliases:** SwimSnake, The Great Thief of Valley (Valley Thief), UTG-Q-1000, Void Arachne.
**Known Associations:** None explicitly detailed in this context other than its origin.
## Activity Summary
Silver Fox has recently focused phishing campaigns on users in India, utilizing lures themed around income tax documents. This activity aims to distribute the modular remote access trojan (RAT) ValleyRAT (aka Winos 4.0). The group typically employs a multi-pronged approach in their operations, ranging from espionage and intelligence gathering to financial gain. They have also been observed using SEO poisoning and phishing to deliver variants of Gh0st RAT.
## Tactics, Techniques & Procedures
- **Social Engineering:** Delivered malicious payloads via phishing emails using income tax-themed lures (decoy PDFs purporting to be from India's Income Tax Department).
- **Initial Execution:** Opening the decoy PDF led to the download of a ZIP file ("tax affairs.zip").
- **Installation:** Deployed from a Nullsoft Scriptable Install system (NSIS) installer ("tax affairs.exe").
- **DLL Hijacking/Sideloading:** Leveraged a legitimate Windows download manager executable ("thunder.exe") to sideload a rogue DLL ("libexpat.dll").
- **Persistence/Defense Evasion:** The rogue DLL disables the Windows Update service and performs anti-analysis/anti-sandbox checks.
- **Lateral Movement/Payload Delivery:** The DLL acts as a conduit for a Donut loader, which eventually injects the final ValleyRAT payload into a hollowed "explorer.exe" process.
- **RAT Functionality:** ValleyRAT uses registry-resident plugins and delayed beaconing for persistence and ensures low noise. It supports on-demand module delivery for tailored credential harvesting and surveillance.
- **Infrastructure Tracking:** Exposed a link management panel ("ssl3[.]space") used to track click activity related to malicious installers (e.g., Microsoft Teams, OpenVPN, Telegram).
## Targeting
- **Sectors:** Public, financial, medical, and technology sectors.
- **Geography:** Primarily Chinese-speaking individuals/organizations, with recent focus expanding to **India**.
- **Victims:** Organizations operating in the previously listed sectors.
## Tools & Infrastructure
- **Malware Families used:** ValleyRAT (aka Winos 4.0), Gh0stCringe, HoldingHands RAT (aka Gh0stBins).
- **Infrastructure (C2, domains, IPs - defang URLs):**
- Initial download domain: `ggwk[.]cc`
- Link tracking panel (C2 infrastructure): `ssl3[.]space`
- **Impersonated Software:** CloudChat, FlyVPN, Microsoft Teams, OpenVPN, QieQie, Santiao, Signal, Sigua, Snipaste, Sogou, Telegram, ToDesk, WPS Office, and Youdao.
## Implications
Silver Fox remains a sophisticated, highly adaptive threat actor originating from China, exhibiting motivations spanning espionage, intelligence collection, and financial gain. The combination of complex infection chains (DLL hijacking) and modular RAT deployment (ValleyRAT) allows them to establish deep, persistent, and low-noise access for tailored surveillance and data exfiltration against high-value targets in expanding geographies like India.
## Mitigations
- Heightened scrutiny of emails using tax-themed lures, particularly those requesting actions related to income tax documents.
- Implement application allow-listing or strict control over the execution of NSIS installers.
- Deploy controls to monitor and block DLL sideloading abuses, especially when associated with legitimate but uncommonly used executables (like Xunlei's thunder.exe).
- Monitor for endpoint modifications such as the disabling of the Windows Update service.
- Organizations should scan for indicators related to ValleyRAT, including the use of registry-resident plugins for persistence.