ValleyRAT has been identified as a sophisticated remote access trojan that emerged in early 2023. It targets Windows systems with a particular focus on Chinese-language users and organizations. The malware utilizes a multi-stage infection process consisting of a downloader, loader, injector, and final payload, making it difficult for security teams to detect and remove. One notable feature is its geographic kill switch, which queries the Windows Registry for the presence of specific applications before execution. If neither WeChat nor DingTalk registry entries are found, the malware terminates immediately.
Security analysts from Picussecurity have highlighted several advanced evasion techniques employed by ValleyRAT, including multiple User Account Control (UAC) bypass methods and manipulation of security tokens for elevated privileges. The trojan utilizes the legitimate MSBuild.exe for execution, blending its malicious actions with normal system operations. Additionally, extensive anti-analysis measures allow it to evade detection in virtual environments, making it a significant threat to targeted organizations.
👉 Pročitaj original: Cyber Security News
