The ValleyRAT malware represents a significant evolution in cyber threats, employing advanced tactics to maintain control over compromised systems while evading detection. This analysis provides insights into its behavior, technical composition, and how it leverages a stolen code-signing certificate to enhance its stealth capabilities. Affected: Windows systems, cybersecurity sector
Keypoints :
- The ValleyRAT malware utilizes sophisticated methods to evade detection and maintain persistence.
- A stolen code-signing certificate is used to sign its components, avoiding security mechanisms.
- Integration of the open-source rootkit Nidhogg allows for deeper control and evasion techniques.
- The malware disables Windows Defender by adding exclusions and can interrupt antivirus processes.
- It creates scheduled tasks to ensure its payloads run with elevated privileges.
MITRE Techniques :
- Application Layer Protocol: Use of custom protocol over UDP and TCP for communication.
- Credential Dumping: Using tools like runtime.exe to terminate antivirus programs.
- Process Injection: Hiding malicious processes using the Nidhogg rootkit.
- Bypass User Account Control: Modifying registry settings to disable UAC prompts.
- Scheduled Task: Creating and deleting scheduled tasks for payload execution.
Indicator of Compromise :
- [SHA-256] 5a3c5aa184e4fdb2de4530c18adb9b12ffc1a101c86cde8de13ce49d7a7a2b44
- [Original Filename] klO2bH6zRBJ6nSx.exe
- [IP Address] 165.22.243.191
- [IP Address] 156.224.26.111
- [Domain] ti.twilight.zip
Full Story: https://medium.com/@shaurya1337/valleyrat-cleversoar-nidhogg-7600a548f587?source=rss——malware-5