CyberSecurity news
FlagThis
@securityonline.info
//
A sophisticated cyber-espionage campaign is targeting organizations in Chinese-speaking regions, including China, Hong Kong, and Taiwan. The attacks, attributed to the Silver Fox APT group, employ a multi-stage loader called PNGPlug to deliver the ValleyRAT malware. The attack chain initiates with phishing websites that trick victims into downloading malicious Microsoft Installer (MSI) packages disguised as legitimate software. Once executed, the installers deploy benign applications to maintain the illusion of legitimacy while extracting an encrypted archive containing the malware payload. The MSI package uses Windows Installer’s CustomAction feature to execute malicious code, including a DLL that decrypts an archive using a hardcoded password, extracting core components.
The PNGPlug loader is a key component of the attack, utilizing files disguised as PNG images to conceal malicious payloads. These encoded PNG files inject components into memory, allowing the attack to bypass security mechanisms. The loader decrypts payloads, injects malicious processes and patches ntdll.dll to enable memory injection. The ValleyRAT malware, a remote access trojan, is designed for stealth and persistence, using memory-based shellcode execution and privilege escalation. It establishes persistence through scheduled tasks and registry modifications, and fetches additional components from its command-and-control server. This campaign highlights the adaptability and sophistication of the Silver Fox APT group.
ImgSrc: securityonline.
References :
The PNGPlug loader is a key component of the attack, utilizing files disguised as PNG images to conceal malicious payloads. These encoded PNG files inject components into memory, allowing the attack to bypass security mechanisms. The loader decrypts payloads, injects malicious processes and patches ntdll.dll to enable memory injection. The ValleyRAT malware, a remote access trojan, is designed for stealth and persistence, using memory-based shellcode execution and privilege escalation. It establishes persistence through scheduled tasks and registry modifications, and fetches additional components from its command-and-control server. This campaign highlights the adaptability and sophistication of the Silver Fox APT group.
ImgSrc: securityonline.
Share:
References :
- cyberpress.org: Hackers Weaponize MSI packages & PNG Files to Deliver Multi-stage Malware
- gbhackers.com: Hackers Weaponize MSI Packages & PNG Files to Deliver Multi-stage Malware
- securityonline.info: Silver Fox APT Targets Organizations with PNGPlug and ValleyRAT Malware
- gbhackers.com: Hackers Weaponize MSI Packages & PNG Files to Deliver Multi-stage Malware
- securityonline.info: Silver Fox APT Targets Organizations with PNGPlug and ValleyRAT Malware
- intezer.com: Threat Bulletin: Weaponized Software Targets Chinese-Speaking Organizations
- The Hacker News: PNGPlug Loader Delivers ValleyRAT Malware Through Fake Software Installers
- intezer.com: Threat Bulletin: Weaponized Software Targets Chinese-Speaking Organizations
- Cyber Security News: Hackers Weaponize MSI packages & PNG Files to Deliver Multi-stage Malware
Classification:
- HashTags: #APT #Malware #CyberEspionage
- Company: Intezer Labs
- Target: Chinese-speaking Organizations
- Attacker: Silver Fox APT
- Product: PNGPlug
- Feature: Multi-stage Loader
- Malware: PNGPlug, ValleyRAT
- Type: Malware
- Severity: Major