Fake Chrome Installers Deliver ValleyRAT Malware

February 6, 2025
|In Cybersecurity News
|By Diego MacCastrillon

Threat Actor “Silver Fox” Targets Sensitive Roles in Organizations

Cybercriminals are using fake websites pretending to offer Google Chrome downloads to spread a dangerous remote access trojan called ValleyRAT Malware. This malware, first identified in 2023, is linked to a threat group known as Silver Fox. This group has a history of targeting Chinese-speaking regions, including Mainland China, Taiwan, and Hong Kong.

You Might be interested in: Apple M-Series Chips Hit by New Exploits

According to a recent report by Morphisec researcher Shmuel Uzan, Silver Fox has been focusing on high-value roles within organizations, such as finance, accounting, and sales teams. These positions often have access to critical systems and sensitive data, making them prime targets for cyberattacks.

How ValleyRAT Malware is Delivered

ValleyRAT is often distributed alongside other malware families like Purple Fox and Gh0st RAT. Gh0st RAT, in particular, has been widely used by Chinese hacking groups in the past.

In recent attacks, the malware has been spread through fake installers for legitimate software. These installers use a DLL loader called PNGPlug to deliver the malicious payload. Last month, a similar tactic was used to distribute Gh0st RAT by tricking users into downloading fake Chrome browser installers.

You might be interested in:

The latest ValleyRAT campaign follows a similar pattern. Attackers set up a fake Google Chrome website to trick users into downloading a ZIP file containing an executable named “Setup.exe.”

How the Attack Works

When the “Setup.exe” file is run, it first checks if it has administrator privileges. If it does, it downloads four additional files. One of these files is a legitimate executable for Douyin, the Chinese version of TikTok, named “Douyin.exe.” This file is used to load a malicious DLL called “tier0.dll,” which then activates the ValleyRAT malware.

Another downloaded file, “sscronet.dll,” is designed to stop any running processes listed in a predefined exclusion list.

What ValleyRAT Does

ValleyRAT is a C++-based trojan that is compiled in Chinese. It can monitor screen activity, record keystrokes, and maintain a persistent presence on the infected system. The malware can also communicate with a remote server to receive commands, allowing it to:

  • List running processes
  • Download and execute additional malicious files
  • Perform other harmful actions

Uzan explained that the attackers used legitimate signed executables vulnerable to DLL search order hijacking to inject the malicious payload.

A Growing Trend in Cyberattacks

This discovery follows a recent report by Sophos about phishing campaigns using Scalable Vector Graphics (SVG) attachments to evade detection. These attacks deliver AutoIt-based keystroke logging malware like Nymeria or redirect users to fake login pages designed to steal credentials.

Stay vigilant and always download software from official sources to avoid falling victim to such schemes.

Breaches