Morphisec researchers have uncovered a new variant of the ValleyRAT malware, employing advanced evasion tactics, multi-stage infection chains, and novel delivery methods. The malware, linked to the Silver Fox APT group, primarily targets high-value individuals in finance, accounting, and sales to steal sensitive data. Unlike previous versions that used PowerShell scripts and DLL hijacking, this variant leverages fake websites like "Karlos" and "anizomcom/" to distribute malicious .NET executables and DLL files. The malware injects itself into legitimate processes such as svchost.exe, using techniques like DLL side-loading with Douyin and Valve game files to execute payloads undetected. Additionally, it employs Donut shellcode for in-memory execution while disabling security measures like AMSI and ETW. Continue here.
