Cybersecurity experts have unveiled a string of sophisticated cyber assaults targeting Chinese-speaking regions such as Hong Kong, Taiwan, and Mainland China. These attacks deploy a notorious malware known as ValleyRAT through a multi-stage loader identified as PNGPlug, according to a detailed report by Intezer released last week.
The infection chain begins with a phishing website, meticulously crafted to lure victims into downloading a tampered Microsoft Installer (MSI) package disguised as authentic software.
Upon execution, the installer deploys a seemingly harmless application to evade detection while covertly extracting an encrypted archive containing the malicious payload.
“The MSI package leverages the Windows Installer’s CustomAction feature, enabling the execution of embedded malicious code. This includes invoking a malicious DLL to decrypt the archive (all.zip) using a hardcoded password, ‘hello202411,’ and extracting the core malware components,” explained security researcher Nicole Fishbein.
The extracted components include a malicious DLL (libcef.dll), a legitimate decoy application (down.exe), and two disguised payload files masquerading as PNG images (aut.png and view.png).
The PNGPlug loader’s primary function is to establish an environment for executing the core malware. It achieves this by injecting the two PNG files into memory, altering Windows Registry settings for persistence, and triggering the execution of ValleyRAT.
Active in the wild since 2023, ValleyRAT is a remote access trojan (RAT) that grants attackers unauthorized control over compromised systems. Its recent versions boast additional features, including screenshot capture and the ability to purge Windows event logs.
Cybersecurity analysts associate the malware with a threat actor group known as Silver Fox, which shares operational similarities with the Void Arachne cluster due to their mutual reliance on the Winos 4.0 command-and-control (C&C) framework.
What distinguishes this campaign is its strategic focus on Chinese-speaking users, leveraging software-themed decoys to initiate its attack chain.
“Noteworthy is the attackers’ adept manipulation of legitimate software as a conduit for their malware, seamlessly merging malicious operations with genuine applications,” Fishbein observed.
“The PNGPlug loader’s modular architecture magnifies its threat potential, as it can be adapted for a diverse range of cyber campaigns, underscoring the need for heightened vigilance.”
