Good day everyone!

Today’s #readoftheday is brought to you by AnyRun and describes a campaign that has targeted Chinese-speaking users and distributing the malware known as #ValleyRAT. A RAT, which stands for remote access trojan, is a type of malware that is designed to allow the attacker to access and control a victim’s machine. This one targets the Windows operating system and employs a range of techniques to evade detection and is delivered when the first-stage loader is disguised as a legitimate application like Microsoft Office. When the unsuspecting victim executes the malware a decoy document is deployed and the executable loads the shellcode that advances the attack to the next stage.

Attackers have long since used files that are masqueraded as legitimate process, executables, and so on as well as using the technique of dropping a decoy document when the user executes malware. The idea here is a layered effect: one, the adversary abuses the trust a user has for legitimate file names and THEN provides something that the victim may have been expecting, basically giving the victim something as to not raise an alarm. This may be the delay that the attacker needs to get a stronger foothold in the environment and gain persistence.

Stay tuned for your threat hunting tip of the day, but until then, Happy Hunting!

New ValleyRAT Campaign Spotted with Advanced Techniques
https://any.run/cybersecurity-blog/new-valleyrat-campaign/?utm_source=linkedin&utm_medium=post&utm_campaign=threat-intelligence-explained&utm_content=blog&utm_term=220824/

Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting

  • Just Another Blue Teamer@ioc.exchangeOP
    link
    fedilink
    arrow-up
    1
    ·
    2 months ago

    For your threat hunting tip of the day:

    Once the malware was downloaded it started reaching out to some non-standard ports. Not only did the ports stick out as odd but the executables or programs doing it seemed strange as well. One example is the MSBuild.exe (an executable masquerading as a legitimate process) connected to an IP over port 6000.

    Using speedguide.net as a reference to see what legitimate programs use port 6000, I see Medal of Honor Rising Sun, Madden NFL 2005, Army of Two for the PlayStation 3, and other games. BUT, if we look at the first part of the table we see that it has been used by different trojans. So the question you should ask yourself is this: Is someone playing PlayStation in my corporate environment, and an old one at that, or is this strange port something I should look into?

    So, look for non-standard ports that aren’t tied to business or legitimate processes and do some research to see what they possibly could be! I hope this helps! Enjoy and Happy Hunting!

    @cyborg@ioc.exchange Security @Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting