By rssfeeds-admin 
The attackers, believed to be part of the Silver Fox APT group, are leveraging a typosquatted domain (huoronga[.]com) to mislead users into downloading the malicious payload, disguised as a security update.
This sophisticated attack, which exploits a widely trusted Chinese security software brand, demonstrates how even the most security-conscious users can be deceived.
Exploiting Trust With Typosquatting and Malicious Installers
Huorong Security (火绒) is a widely used free antivirus program in China, and attackers have cleverly created a fake site that resembles the legitimate huorong.cn.
By using a near-identical domain with an extra “a” (huoronga[.]com), they target users who either mistyped the URL or clicked on phishing links.
The fake website is designed to appear as a trusted source, offering users a downloadable version of Huorong Security.
Once the user clicks the download button, the request is routed through an intermediary domain before ultimately reaching the malicious payload hosted on a Cloudflare R2 server, further obscuring the attack’s origin.
The file is named BR火绒445[.]zip, maintaining the illusion that it is a legitimate Huorong installer. Inside the ZIP archive, a trojanized NSIS installer is used to deploy the backdoor.
NSIS (Nullsoft Scriptable Install System) is a legitimate open-source framework that helps malware evade detection by appearing to be a standard installer.
Upon execution, the trojan drops a desktop shortcut (火绒.lnk), reinforcing the illusion that the antivirus has been successfully installed.
Simultaneously, it extracts several files to the user’s Temp directory, including decoy components like FFmpeg DLLs and fake .NET repair tools.
However, malicious files are also included, such as WavesSvc64.exe (the main loader) and DuiLib_u.dll, a hijacked DirectUI library that enables DLL sideloading.
Advanced Evasion Techniques and Persistence
To avoid detection, the malware uses DLL sideloading, a technique in which Windows loads a malicious DLL instead of the legitimate one.
WavesSvc64.exe, masquerading as a legitimate audio service process, triggers the loading of the malicious DuiLib_u.dll. This DLL reads encrypted shellcode from box.ini, decrypts it, and executes it directly in memory, leaving little forensic trace.
The malware employs multiple evasion tactics to maintain persistence. It disables Windows Defender by adding Defender exclusions, making it harder for security tools to detect the malware.
Additionally, it creates a scheduled task called Batteries. job that ensures the malware restarts on each system boot, re-establishing the infection.
Further analysis reveals that ValleyRAT has sophisticated capabilities, including keylogging, credential theft, and system reconnaissance.
It also uses process injection to hide its activity and evade detection. It communicates with its Command and Control (C2) server at 161.248.87.250 over TCP port 443, using a custom binary protocol to blend in with normal HTTPS traffic.
To defend against this campaign, it’s crucial to verify the legitimacy of download sources. Ensure that Huorong Security is downloaded only from huorong.cn and regularly monitor for any unusual behavior, such as unauthorized Windows Defender exclusions or suspicious scheduled tasks.
It’s also important to block outbound connections to known C2 IP addresses, such as 161.248.87.250, and to deploy intrusion detection systems (IDS) to detect unusual traffic patterns.
| CVE ID | CVSS Score | Description |
|---|---|---|
| N/A | N/A | No specific CVE; relies on social engineering and DLL sideloading. |
According to Malware Bytes, this attack highlights the ongoing risk of typosquatting and social engineering. Users must remain cautious, especially when downloading software that promises security, as attackers exploit this trust to deploy sophisticated malware.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Fake Huorong Site Deploys ValleyRAT Backdoor In Targeted Malware Attack appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.