Apt Silver Fox Utilizing Stock Investment Decoy And Undocumented Windows Api To Evade Detection
Thumbnail
The article provides a detailed analysis of ValleyRAT, a remote access Trojan used by the Silver Fox threat organization. The malware employs various techniques, including deploying both a Trojan and a decoy PDF, to deceive victims while establishing a connection to a command and control server. The analysis highlights the malware’s methods of evading detection and executing its payload. Affected: ValleyRAT, Silver Fox threat organization, user systems

Keypoints :

  • ValleyRAT is a remote access Trojan used by the Silver Fox threat organization.
  • Analyzed sample shows it releases a Trojan named “moomoo x64.exe” and a decoy PDF file “UUU.pdf.”
  • The decoy PDF aims to distract victims while the Trojan operates in the background.
  • Communication between the Trojan and the server involves connecting to a specific IP address and port.
  • The malware employs shellcode for operations that include modifying memory permissions.
  • Multiple undocumented Windows API functions are utilized for evading detection.
  • The code implements anti-debug techniques to deter analysis by researchers.
  • A pseudo-random value is generated from system information for additional security measures.
  • Unused URL addresses were cleared at the end of the malware’s operation process.
  • The report concludes that ValleyRAT remains a hidden threat that requires continued observation.

MITRE Techniques :

  • T1071: Application Layer Protocol – The malware uses HTTP for communication with its command and control server.
  • T1059: Command and Scripting Interpreter – Executes shellcode to manipulate memory and launch processes.
  • T1203: Exploitation for Client Execution – Deployment of a decoy PDF to lure victims and facilitate exploitation.
  • T1070: Indicator Removal on Host – The malware clears unused URLs from memory to avoid detection.
  • T1411: Scheduled Task/Job – Contains loops in its code to simulate delays, possibly for anti-debugging.

Indicator of Compromise :

  • [MD5] ValleyRAT md5: 6923AB76F93C6D48B025D27A37E20D14
  • [MD5] moomoo x64.exe md5: 11B499CC40D08A10C107A6FB55A31B65
  • [MD5] UUD.pdf md5: C4FD1E5F9DF850878E7B770F50031FD2
  • [IP Address] 104[.]219[.]214[.]206
  • [URL] hxxps[:]//www[.]baidu[.]com/

Full Story: https://malwareanalysisspace.blogspot.com/2025/02/the-valleyrat-trojan-of-silver-fox-and.html