ValleyRAT Malware Targets Job Seekers, Abuses Foxit DLL Sideloading

Summary

The ValleyRAT remote access trojan is delivered via email attachments aimed at job seekers and HR staff. Adversaries bundle a tampered Foxit PDF Reader executable and rely on DLL side-loading to trigger a malicious msimg32.dll. The payload unpacks a hidden Python runtime, retrieves a Base64-encoded script from a C2 server, and sets up persistence through an autorun registry value while siphoning browser data.

Investigation

Researchers analyzed the malicious archive and found a renamed FoxitPDFReader.exe that side-loads a rogue msimg32.dll through the standard Windows DLL search order. A batch script then unpacks an embedded Python interpreter (renamed zvchost.exe) and executes a Base64-encoded loader script fetched from a malicious IP address. Network inspection exposed a self-signed certificate with a random CN and a distinct JA3 fingerprint used for C2 traffic. Persistence is maintained by creating an autorun registry key.

Mitigation

Recommended defenses include rigorous email attachment scanning and blocking executables masquerading as PDF files. Apply application whitelisting to prevent unauthorized DLL side-loading and execution of untrusted binaries. Monitor for creation of autorun registry entries and block known C2 IP addresses. Keep endpoint protection signatures up to date and deliver targeted security awareness training focused on job-seeker-themed phishing.

Response

Generate alerts when FoxitPDFReader.exe or msimg32.dll executes from unusual locations, especially paths with deep underscore patterns. Correlate process activity from zvchost.exe using the -c parameter and Base64 command payloads. Detect outbound connections to 196.251.86.145 (and related infrastructure) and review TLS sessions for the distinctive self-signed certificate. Examine registry changes under HKCU\Software\Microsoft\Windows\CurrentVersion\Run for unauthorized autorun entries.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

• Attack Narrative & Commands:

  1. Initial Compromise: The victim opens a malicious recruitment‑themed PDF delivered via email. The PDF contains JavaScript (T1059.006) that drops a malicious DLL (valley.dll) into the same directory as the PDF reader executable.

  2. DLL Side‑Loading: The attacker leverages Foxit Reader’s ability to load auxiliary DLLs. By placing valley.dll beside a renamed Foxit executable (zvchost.exe), Foxit will inadvertently load the malicious DLL on launch, executing ValleyRAT.

  3. Process Creation Trigger: The renamed executable (zvchost.exe) is launched, generating a process‑creation event where the image path ends with \zvchost.exe. This matches the Sigma rule’s Image|endswith condition, causing an alert.

• Regression Test Script: The following PowerShell script reproduces the above steps in a controlled lab environment.

  # ------------------------------------------------------------
  # Regression script for ValleyRAT side‑loading detection test
  # ------------------------------------------------------------
  
  # 1. Set up temporary working directory
  $workDir = "$env:TEMP\ValleyRAT_Test"
  New-Item -Path $workDir -ItemType Directory -Force | Out-Null
  
  # 2. Copy a legitimate Foxit Reader executable (simulating the PDF reader)
  $foxitSrc = "C:\Program Files\Foxit Software\Foxit Reader\FoxitReader.exe"
  $foxitRenamed = Join-Path $workDir "zvchost.exe"
  Copy-Item -Path $foxitSrc -Destination $foxitRenamed -Force
  
  # 3. Create a dummy malicious DLL (in reality this would be the ValleyRAT payload)
  $dllPath = Join-Path $workDir "valley.dll"
  Set-Content -Path $dllPath -Value ([byte[]](0x4D,0x5A)) -Encoding Byte  # Minimal MZ header
  
  # 4. Launch the renamed Foxit executable (this triggers DLL side‑loading)
  Write-Host "[*] Launching renamed Foxit executable to trigger side‑loading..."
  $proc = Start-Process -FilePath $foxitRenamed -PassThru -WindowStyle Hidden
  
  # 5. Wait briefly to ensure process creation is logged
  Start-Sleep -Seconds 5
  
  # 6. Output process information for verification
  Write-Host "Process ID: $($proc.Id)"
  Write-Host "Executable Path: $($proc.Path)"
  
  # 7. Clean‑up (optional – see separate cleanup section)
  # Remove-Item -Recurse -Force $workDir

• Cleanup Commands: Execute after the test to remove artifacts and avoid lingering side‑loaded DLLs.

  # Clean up the test directory and terminate any stray processes
  $workDir = "$env:TEMP\ValleyRAT_Test"
  
  # Terminate the launched process if still running
  Get-Process -Name "zvchost" -ErrorAction SilentlyContinue | Stop-Process -Force
  
  # Delete the test artifacts
  Remove-Item -Path $workDir -Recurse -Force -ErrorAction SilentlyContinue
  
  Write-Host "[+] Cleanup completed."