Full Report
Cybersecurity researchers are calling attention to a series of cyber attacks that have targeted Chinese-speaking regions like Hong Kong, Taiwan, and Mainland China with a known malware called ValleyRAT. The attacks leverage a multi-stage loader dubbed PNGPlug to deliver the ValleyRAT payload, Intezer said in a technical report published last week. The infection chain commences with a phishing
Analysis Summary
# Tool/Technique: PNGPlug Loader
## Overview
PNGPlug Loader is a multi-stage loader used in cyber attacks targeting Chinese-speaking regions (Hong Kong, Taiwan, Mainland China). Its primary purpose is to facilitate the infection chain by first delivering a malicious Microsoft Installer (MSI) package, which then extracts and executes the final malware payload, ValleyRAT.
## Technical Details
- Type: Tool (Loader)
- Platform: Windows (utilizing Windows Installer features)
- Capabilities: Executes code via MSI CustomAction, decrypts archives using a hardcoded password, extracts embedded components, performs environment setup, establishes persistence via registry changes, and executes the final RAT payload.
- First Seen: Associated with campaigns involving ValleyRAT, detected broadly since 2023.
## MITRE ATT&CK Mapping
The loader components and execution methods suggest the following mappings:
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (Implied by registry changes)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Archive encryption/decryption)
## Functionality
### Core Capabilities
* **Delivery:** Deployed via a malicious Microsoft Installer (MSI) disguised as legitimate software, tricked from a phishing page.
* **Extraction & Decryption:** Uses the Windows Installer's `CustomAction` feature to run an embedded malicious DLL. This DLL decrypts an embedded archive (`all.zip`) using the hardcoded password `'hello202411'`.
* **Component Staging:** Extracts core malware components: `libcef.dll` (rogue DLL loader), `down.exe` (a legitimate application used as cover), and two files masquerading as PNG images (`aut.png` and `view.png`).
### Advanced Features
* **Environment Preparation:** The primary objective of the loader DLL (`libcef.dll`) is to prepare the environment by injecting `aut.png` into memory.
* **Payload Execution:** Sets up persistence through Windows Registry changes and then executes the final malware payload, ValleyRAT, by further utilizing `view.png`.
* **Concealment:** Uses a legitimate application (`down.exe`) as a cover to conceal malicious activities.
## Indicators of Compromise
- File Hashes: N/A (Not provided in the article)
- File Names:
- Malicious MSI package
- `libcef.dll` (Rogue DLL Loader)
- `down.exe` (Cover application)
- `aut.png`, `view.png` (Payload files masquerading as images)
- Registry Keys: Registry changes mentioned for persistence (Specific keys not provided).
- Network Indicators: N/A (Network traffic related to PNGPlug itself is not detailed, other than delivering the final payload, ValleyRAT).
- Behavioral Indicators: Execution via MSI `CustomAction`, decryption of archive using password 'hello202411', DLL injection into memory, and modification of Windows Registry for persistence.
## Associated Threat Actors
* **Silver Fox**: Assessed to be linked to the usage of ValleyRAT.
* **Void Arachne**: Shares tactical overlaps with this cluster through the use of the Winos 4.0 C&C framework (which is associated with ValleyRAT).
## Detection Methods
- Signature-based detection: Signatures for the known final payload (ValleyRAT) and specifically compiled components of PNGPlug (if hashes were available).
- Behavioral detection: Monitoring for MSI packages executing code via `CustomAction`, file extractions using specific passwords (`hello202411`), or the execution chain involving the extracted DLLs and image files.
- YARA rules: N/A (Not explicitly provided).
## Mitigation Strategies
- Prevention measures: Blocking execution from untrusted MSI packages or those utilizing unusual `CustomAction` scripts.
- Hardening recommendations: Limiting user privileges to prevent system modification executions, enhancing email filtering for phishing lures, and monitoring for the registry modifications associated with persistence.
## Related Tools/Techniques
* **ValleyRAT**: The primary remote access trojan delivered by this loader.
* **Winos 4.0**: Command-and-Control framework associated with the threat group activity linked to ValleyRAT.