Fake Chrome sites are being used to distribute ValleyRAT malware through DLL hijacking. A recent report reveals that attackers trick users into downloading malicious installers disguised as legitimate Chrome downloads.
The ValleyRAT malware was first discovered in 2023 and is linked to a hacking group known as Silver Fox. Their attacks mainly target Chinese-speaking users in Hong Kong, Taiwan, and Mainland China. However, recent activity suggests they are expanding their focus to finance, accounting, and sales professionals. These roles often have access to sensitive data, making them valuable targets.
How the Malware Spreads
Hackers set up fake websites that closely resemble official Chrome download pages. Unsuspecting users searching for Google Chrome end up on these fraudulent sites. When they download the offered ZIP file, it contains a setup.exe file that executes multiple malicious payloads.
The installer first checks for administrator privileges. Then, it downloads four additional files, including a legitimate Douyin (Chinese TikTok) executable. This file sideloads a rogue DLL that activates ValleyRAT. Another DLL file, sscronet.dll, terminates certain processes to avoid detection.
What ValleyRAT Can Do
Once installed, ValleyRAT performs various malicious activities. It can log keystrokes, monitor screen content, and establish persistence. Additionally, it communicates with a remote server, allowing hackers to execute commands, download more malware, and steal sensitive data.
Researchers also found that attackers use DLL hijacking techniques to inject malware into legitimate, signed executables. This method helps them bypass security defenses and stay undetected.
How to Stay Safe
To avoid infection, always download software from official sources. Check URLs carefully before clicking any download links. Avoid running unknown executables and keep security software updated. Using ad-blockers and browser security extensions can also help prevent malicious redirects.
