Cybercriminals are actively leveraging the Microsoft Teams brand to distribute ValleyRAT, a sophisticated remote access trojan (RAT) linked to Chinese-speaking threat actors, with strong attribution indicators pointing to the SilverFox APT group.
The campaign, uncovered in mid-April by K7 Labs researchers, demonstrates a highly refined infection chain combining social engineering, DLL sideloading, in-memory execution, and dynamic payload delivery.
The attack begins with fraudulent domains such as teams-securecall[.]com, which closely mimic legitimate Microsoft Teams download pages.
Victims are prompted to download a ZIP archive masquerading as an official Teams installer. Upon extraction, the archive executes a malicious NSIS-based installer designed to deploy multiple payload components while maintaining the appearance of a legitimate installation.
Fake Microsoft Teams Sites Spread ValleyRAT Malware
To reduce suspicion, the installer drops an authentic Microsoft Teams package and creates a standard desktop shortcut. Meanwhile, in the background, the malware initiates its primary infection routine using DLL sideloading techniques.
The malware abuses GameBox.exe, a legitimate executable developed by Tencent, to sideload a malicious library named Utility.dll. This technique enables execution within a trusted process, effectively bypassing application control mechanisms.
Immediately after execution, the malware attempts to weaken endpoint defenses. It executes PowerShell commands to add exclusions in Windows Defender, targeting both file paths and processes associated with the malicious payload. This ensures that key components, including Utility.dll, evade antivirus detection.
The malware then copies its components into the ProgramData directory and modifies file attributes to remain hidden from user visibility and basic inspection.
A notable feature of this campaign is its use of encrypted, fileless execution. Instead of deploying a traditional binary payload, the installer drops an AES-encrypted shellcode file. This payload is decrypted directly in memory, avoiding disk-based detection mechanisms.
The decrypted shellcode allocates memory within the current process and injects the next stage of execution. To further evade analysis, the malware employs API hashing, dynamically resolving Windows API functions at runtime instead of storing readable function names.
In its final stage, the malware establishes communication with a command-and-control (C2) server to retrieve the ValleyRAT payload. This payload is delivered using a custom XOR-based encryption scheme, allowing attackers to dynamically update or swap modules depending on operational objectives.
This modular architecture provides flexibility, enabling threat actors to deploy additional tools or adjust capabilities without modifying the initial infection chain.
Once deployed, ValleyRAT provides attackers with persistent access and surveillance capabilities. One of its primary functions includes clipboard monitoring, allowing it to intercept sensitive data such as login credentials and cryptocurrency wallet addresses.
This capability makes the malware particularly dangerous in financial and enterprise environments, where clipboard data often contains high-value information.
Indicators of Compromise (IOCs)
The following indicators have been associated with the campaign:
- File Name: 98653.2.87.teamsx.zip
MD5: 709604CE58E3F8255587AC9253DB6994
Detection: Trojan (006ddd9e1) - File Name: Utility.dll
MD5: 18F3E85D7237E3CAC0AD13BDCF513F0F
Detection: Trojan (006ddd9e1) - File Name: User.dat
MD5: 8F9DE887E9AED9D580F386BA2D191319
Detection: Trojan (0001140e1)
Note: Domains and IP addresses have been defanged (e.g., [.]) to prevent accidental interaction. Re-fanging should only be performed within controlled environments such as MISP, VirusTotal, or SIEM platforms.
The presence of Chinese-language artifacts, combined with specific registry manipulation patterns and operational tactics, strongly suggests involvement of the SilverFox APT group. The campaign reflects a broader trend of leveraging trusted software brands and clean execution chains to bypass modern security controls.
No Comment! Be the first one.