A sophisticated cyber attack campaign targeting Chinese-speaking regions has been uncovered by security researchers. The attacks use a specialized loader called PNGPlug to deploy ValleyRAT malware through deceptive software installers.
The attack begins when users are tricked into downloading what appears to be legitimate software through a phishing page. The malicious package installs both a legitimate application as cover and secretly extracts encrypted malware components.
Using Windows Installer's CustomAction capability, the package executes malicious code that decrypts an archive using a hardcoded password. This process releases several components, including a rogue DLL file and two payload files disguised as PNG images.
The PNGPlug loader then prepares the system for ValleyRAT by injecting the fake PNG files into memory and making Windows Registry changes for persistence. ValleyRAT itself is a remote access trojan that gives attackers unauthorized control of infected machines.
Security experts attribute this campaign to a threat group known as Silver Fox, which shows connections to another group called Void Arachne through their shared use of the Winos 4.0 command-and-control framework.
The malware campaign stands out for specifically targeting Chinese speakers in Hong Kong, Taiwan, and Mainland China. It demonstrates advanced techniques by blending malicious code with legitimate software installations.
ValleyRAT, first detected in 2023, continues to evolve with new capabilities including screenshot capture and event log clearing. The modular design of the PNGPlug loader allows the attackers to adapt their approach across multiple campaigns.
Users are advised to exercise caution when downloading software installers, especially from unfamiliar sources, as this campaign shows how sophisticated modern malware delivery systems have become.