ValleyRAT is a multi-stage Windows remote-access trojan (RAT) first observed in early 2023 and now linked to focused campaigns targeting Chinese-language users and organizations.
Operators deliver staged components (downloader → loader → injector → RAT) via phishing or trojanized installers, and rely on in-memory decryption and living-off-the-land execution (notably MSBuild.exe) to remain stealthy. The malware includes targeted checks, for example, a registry “kill-switch” for regionally common apps such as WeChat and DingTalk, plus multiple UAC bypasses, token manipulation, and routines that disable or terminate locally prevalent AV/HIPS. That combination of targeted execution logic, aggressive privilege escalation, and AV disruption means responders treat ValleyRAT as a high-confidence indicator of a targeted intrusion rather than commodity malware.
In this blog we will analyze the ValleyRAT loader and the RAT itself, highlighting the features that set ValleyRAT apart from other families.
|
SHA-256: ae857addc8eb51dbfa7d0a76b19dae7a6f275f7bf1042d1c982aca4f80ce635e (downloader) |
ValleyRAT first surfaced in early 2023 and has primarily targeted Chinese-language users via phishing lures. It’s implemented as a multi-stage, multi-component .NET family:
the loader is a .NET executable that contains 3DES-encrypted resources (embedded .NET PE files),
it decrypts and loads components in memory (loader → injector → payload),
the injector component uses MSBuild.exe as the execution host (process masquerading / LOLBin usage) and performs process injection to run the final RAT payload in memory.
This layered approach improves stealth (encrypted resources on disk, decryption in memory, and leveraging signed system binaries).
The decompiled snippets include three important artifacts:
Below are the essential pieces extracted from the sample (cleaned for readability):
|
// loader calls into decrypted assembly to perform further decryption/execution |
And the symmetric decryption helper:
|
public static byte[] TFGFGF...(byte[] B, string ikey) |
ValleyRAT is not your typical Remote Access Trojan. Analysis of its latest variants reveals a sophisticated malware characterized by highly targeted execution logic, multi-faceted evasion techniques, and an aggressive focus on Privilege Escalation (PE) and Anti-Analysis capabilities.
This deep dive examines the code-level mechanisms that ValleyRAT uses to establish persistence, bypass system defenses, and prepare for its primary Command and Control (C2) operations.
ValleyRAT begins with an unusual environmental check, serving as a geographical or kill switch. It specifically queries the Windows Registry for the presence of two popular Chinese communication applications: WeChat and DingTalk.
If both registry entries (HKCU\Software\DingTalk and HKCU\Software\Tencent\WeChat) are not found, the malware assumes it's running outside its intended target environment, displays a misleading "Error" message box, and terminates.
Additionally, the malware employs an anti-duplicate-instance check by attempting to create a named mutex, L"TEST".
|
// Code snippet showing the initial registry check and termination logic |
If the initial checks pass, ValleyRAT immediately focuses on gaining administrative access, employing multiple techniques to bypass Windows User Account Control (UAC).
The malware employs a combination of file and registry manipulation targeting known Windows executables:
CompMgmtLauncher.exe/Event Viewer: ValleyRAT drops shortcut (.lnk) files, CompMgmtLauncher.lnk and eventvwr.lnk, in a user-writeable location (e.g., Startup folder). It then manipulates registry keys (HKCU\Software\Classes\mscfile and .pwn) that reference shellcode (likely a downloaded component) or its own path. When Windows attempts to run the legitimate tool, the registry keys redirect execution, launching the malware with elevated privileges.
Fodhelper.exe Bypass: It associates the ms-settings ProgID with the custom .pwn extension in HKCU\Software\Classes\ms-settings\CurVer and sets the file path of its own sample in HKCU\Software\Classes\.pwn\Shell\Open\Command. This key chain allows the malware to execute automatically when the legitimate Fodhelper.exe is triggered.
To ensure full control, ValleyRAT adjusts its security token to enable the SeDebugPrivilege. This privilege allows the malware to interact with, inspect, and even terminate processes belonging to other users or higher integrity levels. It also uses the internal NTdll.dll function NtSetInformationProcess with class 29, a known anti-debugging maneuver.
|
// Adjusting token privileges to enable SeDebugPrivilege |
ValleyRAT's extensive evasion repertoire is notable, targeting everything from virtualization to specific anti-virus products.
The malware contains an exhaustive hardcoded list of executable names belonging to popular anti-virus products and Host-based Intrusion Prevention Systems (HIPS), predominantly from Chinese vendors like Qihoo 360 and Tencent QQ PC Manager. Its logic is to terminate these processes (leveraging its new SeDebugPrivilege) before proceeding. It also modifies security software's registry settings to disable their autostart capability upon reboot.
|
Vendor (Examples) |
Targeted Executables (Examples) |
|
Qihoo 360 |
360d.exe, 360Safe.exe, 360Tray.exe |
|
Tencent QQ |
QQPCRTP.exe, QQMPersonalCenter.exe |
|
Kingsoft |
kxscan.exe, kwsprt.exe, kxascore.exe |
To neutralize Microsoft Defender, the malware programmatically launches a shell and injects a PowerShell command to exclude itself from real-time monitoring.
|
// PowerShell command injected to bypass Windows Defender |
The command Add-MpPreference -ExclusionPath is used to effectively exclude the entire drive path where the malware resides from future Defender scans, achieving effective defense evasion.
ValleyRAT is highly suspicious of its environment, performing checks that fall into two main categories:
|
Technique |
Description |
|
Process/Window Hunting |
It enumerates running windows and checks their title strings for known analysis tools such as Wireshark, Fiddler, Malwarebytes, ApateDNS, and TaskExplorer. |
|
Anti-Virtualization |
It uses the CPUID instruction to check for the "GenuineIntel" or "AuthenticAMD" vendor strings, which are often spoofed or missing in virtual environments like VMware or VirtualBox. It also checks for the existence of VMware directories and limited memory conditions. |
After clearing the defenses, ValleyRAT secures its foothold and prepares for communication.
A standard, but effective, persistence mechanism is used by writing its own execution path to the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key using a deceptive value name, GFIRestart32.exe. This guarantees execution on every user login.
Before attempting to contact its actual C2 server (whose IP/Port are stored in obfuscated registry entries like HKCU\Software\Console\IpDate), the malware performs an initial Internet Connection Discovery check.
|
// Checking Internet connectivity via a Chinese domain |
By querying hxxp://www[.]baidu.com, it ensures the network is alive. It then generates a randomized integer (v3) to construct a dynamic beacon string (e.g., GetOnlineSize_12345) which is sent to the C2 server, likely to download the next-stage payload.
ValleyRAT distinguishes itself from many other malware families through its highly targeted nature and aggressive, multi-layered approach to evasion and privilege escalation. It begins with a unique geographical kill switch, checking for specific Chinese application registry keys (WeChat, DingTalk) before proceeding, ensuring it only executes in its intended operational environment.
Once active, it aggressively pursues system mastery by using multiple UAC bypasses (exploiting Fodhelper.exe, Event Viewer, etc.) and seizing the SeDebugPrivilege on its process. For stealth, it favors loading its payload into the legitimate system binary MSBuild.exe and actively disables defenses by:
Terminating known AV processes (especially Chinese vendors).
Abusing native PowerShell cmdlets to add its paths to the Windows Defender exclusion list.
Using CPUID and window title checks for robust anti-analysis and anti-virtualization.
This combination of specialized targeting, simultaneous UAC attack vectors, and systematic defense impairment makes ValleyRAT a particularly sophisticated and resilient threat.
The Picus Security Validation Platform safely simulates ValleyRAT malware attacks, replicating the malware’s new plug-in functionality for validation purposes. Through the Picus Threat Library, it replicates the tactics, techniques, and procedures (TTPs) observed in these campaigns to reveal detection and prevention gaps across EDR, NGFW, and SIEM technologies, before adversaries can exploit them.
You can also test your defenses against hundreds of other malware variants, such as SnipBot, SlipScreen Loader, RustyClaw, within minutes with a 14-day free trial of the Picus Platform.
|
Threat ID |
Threat Name |
Attack Module |
|
29426 |
ValleyRAT Malware Downloader Download Threat |
Network Infiltration |
|
25204 |
ValleyRAT Malware Downloader Email Threat |
Email Infiltration |
|
59821 |
ValleyRAT Loader Download Threat |
Network Infiltration |
|
54856 |
ValleyRAT Loader Email Threat |
Email Infiltration |
|
72873 |
ValleyRAT Malware Dropper Download |
Network Infiltration |
|
46588 |
ValleyRAT Malware Dropper Email Threat |
Email Infiltration |
Multi-Stage Execution: ValleyRAT utilizes a multi-stage loader (often .NET-based) that decrypts and loads components entirely in memory.
LOLBin for Stealth: The final payload is typically injected into the legitimate Windows binary MSBuild.exe (a Living Off the Land Binary) to masquerade as a trusted process.
Targeted Kill Switch: It contains a geographically specific kill switch that checks the registry for Chinese communication apps (WeChat and DingTalk). If not found, the malware terminates to prevent analysis.
Multiple UAC Bypasses: It employs three distinct techniques for Privilege Escalation (UAC Bypass), exploiting vulnerabilities in Windows components like Fodhelper.exe, Event Viewer, and CompMgmtLauncher.exe.
Token Manipulation: It manually enables the SeDebugPrivilege on its security token, granting it power to inspect and terminate other processes.
Aggressive Anti-AV: It carries an extensive list of known security program executables (from Qihoo 360, Tencent, etc.) to actively terminate or disable their autostart capabilities.
Windows Defender Exclusion: It uses a programmatic PowerShell command (Add-MpPreference -ExclusionPath) to add its files or entire drives to the Windows Defender exclusion list.
Anti-Analysis (VM/Sandbox): It performs environmental checks, including the CPUID instruction to verify the CPU vendor ID (checking for "GenuineIntel" or "AuthenticAMD") and enumerating window titles to detect analyst tools (Wireshark, Fiddler, etc.).
Persistence: It establishes persistent execution through both Registry Run Keys (using a deceptive name like GFIRestart32.exe) and by copying itself to the Startup folder.
Dynamic C2 Beacon: It performs an Internet check using hxxp://www[.]baidu.com and generates a randomized integer to construct a unique C2 beacon string, aiding in network evasion.