Silver Fox Campaign - ValleyRAT Hidden in Telegram Installer
Significant risk — action recommended within 24-48 hours
Basically, a new malware trick hides in a fake Telegram installer to steal information from users.
A new malware campaign by the Silver Fox APT group is delivering ValleyRAT through a fake Telegram installer. This poses serious risks to users who may unknowingly install it. Stay vigilant and only download software from trusted sources.
How It Works
The Silver Fox APT group has launched a new malware campaign that cleverly disguises a powerful remote access trojan (RAT) known as ValleyRAT. It uses a fake Telegram Chinese language pack installer, which appears harmless to users. When executed, this malicious MSI file initiates a complex six-stage infection chain designed to evade detection by popular antivirus software.
Who's Being Targeted
This campaign primarily targets Chinese-speaking users who might download what they believe to be a legitimate language pack for Telegram. The attackers exploit the trust users have in widely used applications to deliver their malware.
Signs of Infection
Once the MSI installer is run, it triggers a custom VBScript that executes with full SYSTEM privileges. This script deploys a legitimate archival tool, which is then used to extract the malware payload. Users should be cautious of any unexpected behavior following the installation of language packs or configuration files from unofficial sources.
How to Protect Yourself
To safeguard against this threat, security teams should:
- Block the command-and-control server 118.107.43.65 at the network perimeter.
- Monitor for suspicious MSI installations that execute VBScript custom actions.
- Flag any execution of zpaqfranz outside of developer environments as a high-priority event.
- Educate users about the risks of downloading software from unofficial channels.
Conclusion
The Silver Fox campaign highlights the evolving tactics of cybercriminals. By disguising malware as legitimate software, they exploit user trust to gain access to sensitive systems. Awareness and proactive security measures are essential to mitigate the risks posed by such sophisticated attacks.
🔍 How to Check If You're Affected
- 1.Check for unexpected installations of MSI files from untrusted sources.
- 2.Monitor for execution of zpaqfranz outside of developer environments.
- 3.Alert on VBScript custom actions that trigger PowerShell executions.
- 4.Block network traffic to known command-and-control servers.
🗺️ MITRE ATT&CK Techniques
🔒 Pro insight: The six-stage infection chain demonstrates advanced evasion techniques, indicating a significant threat level from the Silver Fox group.