Researchers Detailed ValleyRAT Password Stealing Techniques

Hackers use RATs to get unauthorized access and full control of the victim’s computer and all its functionalities and enable other malicious abilities.

They allow the threat actors to control the system and obtain useful information for their goals.


Zscaler researchers recently detailed ValleyRAT password-stealing techniques.

ValleyRAT Password Stealing Techniques

ValleyRAT is a remote access tool first observed in early 2023. Its primary aim is to compromise systems and deliver unauthorized access. A new campaign that delivers the latest version of ValleyRAT through several stages has recently been discovered.

The initial downloader fetches and decrypts XOR and RC4 encrypted files, including DLL payload.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

The DLL checks for and kills certain security software processes, downloads more files, and then runs one file with admin privileges, consequently leading to the second stage.

The campaign employs an HFS server to download components and C2 communications. In addition, it further expands its capabilities with new commands, such as screenshotting and clearing logs, as part of its anti-AV evasion tactics in the latest version of ValleyRAT.

Attack chain (Source – Zscaler)

Here, WINWORD2013.EXE sideloads the malicious wwlib.dll loader that depacks and loads xig.ppt DLL using XOR and RC4 ciphering algorithms.

When it runs on a suspended svchost.exe process, Xig.ppt injects shellcode to be able to embed itself into the system, consequently adding WINWORD2013.EXE in autorun for persistence purposes.

The injected shellcode resolves APIs dynamically using BKDR hashing, retrieves a configuration containing C2 details, sends data to receive an encrypted 32-bit shellcode payload, decrypts it with XOR 0x36, and executes this next stage payload.

Persistence is achieved by adding the loader to autorun while hiding component files. This malware engages in process injection and API resolving tricks with multi-stage payload delivery for stealth.

An embedded DLL, which is loaded reflectively by the decrypted shellcode from C2, parses a configuration string with C2 details. The host checks whether its last payload has already been created by examining a specific property in the registry.

If not found, it generates an encrypted string and sends it to the C2, which will be used to download the payload’s data. That data is then stored at that same registry value for later use.

Finally, it executes the embedded DLL as ValleyRAT’s final payload and reads the Zscaler report.

In this iteration of ValleyRAT, new device fingerprinting fields were introduced, the bot ID generation algorithm was altered to include more system data and new commands was added.

This malware’s multi-stage payload delivery techniques, such as process injection, configuration parsing, and registry storage, ensure its stealth and persistence in an infected computer.

ValleyRAT is a highly advanced malware that uses complicated infection methods, DLL sideloading, and constant code updates that make it difficult for detectors’ including EDRs and anti-virus solutions.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.