ValleyRAT Campaign Targets Job Seekers, Abuses Foxit PDF Reader for DLL Side-loading
Summary:
Trend Micro researchers have found that the ValleyRAT campaign is a growing threat that is escalating in both aggressiveness and sophistication, demonstrated by a notable spike in detections observed in their telemetry at the end of October. The campaign strategically integrates tried-and-tested techniques, primarily using social-engineering lures targeting job seekers through malicious email attachments. Recent observations show that the actors, who initially focused on Chinese-speaking users, are now expanding their scope to target job seekers in general, evidenced by the use of English-language filenames. The researchers detail that the attack is executed through a layered approach, which involves obfuscation via deeply nested directory paths and execution via DLL side-loading, where a renamed, weaponized version of the Foxit PDF Reader executable is used to load a malicious DLL. This deceptive method allows the ValleyRAT payload to run silently in the background, granting the attackers full control of the system to monitor activity and steal sensitive data, including user data from internet browsers.
Security Officer Comments:
The ValleyRAT campaign represents a high-confidence, targeted intrusion threat actively expanding its operational scope. Our observations indicate a deliberate shift away from its historical targeting of specific regions to now aggressively focusing on the global job-seeking community and associated HR functions. This pivot is enabled by sophisticated social engineering lures, specifically, email attachments disguised as critical employment documents, that exploit the high-urgency, low-caution environment surrounding job applications. Technically, the campaign employs a robust, multi-stage infection chain that prioritizes stealth and evasion. The primary execution vector relies on DLL Side-Loading, where the threat actor weaponizes a legitimate executable, such as the Foxit PDF Reader, to load a malicious DLL while simultaneously displaying a benign decoy document to the user. This approach subverts standard trust models.
Suggested Corrections:
https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html
Trend Micro researchers have found that the ValleyRAT campaign is a growing threat that is escalating in both aggressiveness and sophistication, demonstrated by a notable spike in detections observed in their telemetry at the end of October. The campaign strategically integrates tried-and-tested techniques, primarily using social-engineering lures targeting job seekers through malicious email attachments. Recent observations show that the actors, who initially focused on Chinese-speaking users, are now expanding their scope to target job seekers in general, evidenced by the use of English-language filenames. The researchers detail that the attack is executed through a layered approach, which involves obfuscation via deeply nested directory paths and execution via DLL side-loading, where a renamed, weaponized version of the Foxit PDF Reader executable is used to load a malicious DLL. This deceptive method allows the ValleyRAT payload to run silently in the background, granting the attackers full control of the system to monitor activity and steal sensitive data, including user data from internet browsers.
Security Officer Comments:
The ValleyRAT campaign represents a high-confidence, targeted intrusion threat actively expanding its operational scope. Our observations indicate a deliberate shift away from its historical targeting of specific regions to now aggressively focusing on the global job-seeking community and associated HR functions. This pivot is enabled by sophisticated social engineering lures, specifically, email attachments disguised as critical employment documents, that exploit the high-urgency, low-caution environment surrounding job applications. Technically, the campaign employs a robust, multi-stage infection chain that prioritizes stealth and evasion. The primary execution vector relies on DLL Side-Loading, where the threat actor weaponizes a legitimate executable, such as the Foxit PDF Reader, to load a malicious DLL while simultaneously displaying a benign decoy document to the user. This approach subverts standard trust models.
Suggested Corrections:
- Mandate Advanced Security Awareness: Deploy immediate training on Vishing/Phishing techniques for all users, emphasizing verification of full file extensions and discouraging the execution of unexpected archives, regardless of application icon or source.
- Harden Endpoint Controls: Ensure EDR solutions are configured to block DLL side-loading behaviors, monitor for the execution of suspicious processes within unusual directory paths, and enforce strict application allow-listing to prevent unauthorized executables from running.
- Validate Patch Status: Verify that all applications commonly targeted for side-loading or exploitation are current. Pay particular attention to browsers, PDF readers, and communication platforms.
- Isolate and Analyze: Any system flagged with ValleyRAT indicators including C2 communication attempts to IPs must be immediately network isolated for forensic analysis and potential re-imaging.
https://www.trendmicro.com/en_us/research/25/l/valleyrat-campaign.html