.webp
)
A sophisticated cyberattack campaign targeting Chinese-speaking organizations in Hong Kong, Taiwan, and mainland China has been uncovered recently by Intezer Labs.
The attackers are employing a multi-stage loader, dubbed PNGPlug, to deliver the notorious ValleyRAT malware.
The attack begins with a phishing webpage that lures victims into downloading a malicious Microsoft Installer (MSI) package disguised as legitimate software.
Besides this, security analysts identified that upon execution, the MSI package performs two critical tasks:-
- Deploying a benign application to maintain the illusion of legitimacy.
- Extracting an encrypted archive containing the malware payload.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Technical Analysis
The MSI package leverages the Windows Installer’s CustomAction feature to execute malicious code, including a DLL that decrypts the archive using a hardcoded password.
This process extracts core malware components, including a loader (libcef.dll) and two PNG files containing encoded malicious payloads.
The PNGPlug loader, a key component of the attack, sets up the environment for malware execution through several sophisticated techniques.
It patches ntdll.dll to enable memory injection and performs anti-virus detection, specifically checking for the presence of 360 Total Security.
If the security software is absent, the loader injects the contents of a PNG file into a newly created process, executing the ValleyRAT malware.
ValleyRAT, attributed to the Silver Fox APT group, is a multi-stage malware that employs advanced techniques such as shellcode execution, obfuscation, privilege escalation, and persistence mechanisms.
It can monitor user activities, deliver plugins, and potentially install additional payloads.
What makes this campaign particularly noteworthy is its unique focus on Chinese-speaking victims across different regions, treating them as a unified target despite their distinct political landscapes.
The attackers’ use of legitimate software as a delivery mechanism for malware and the adaptability of the PNGPlug loader further highlight the sophistication of this threat.
The campaign also exposes potential operational gaps within targeted organizations, particularly the lack of investment in employee tools among some larger companies.
This oversight often forces employees to rely on free software, inadvertently increasing their vulnerability to such malicious campaigns.
Organizations are advised to implement robust cybersecurity measures, including employee education on phishing tactics, regular software updates, and the use of advanced threat detection tools to mitigate the risks posed by such sophisticated cyber threats.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
