Technical Analysis: Sophisticated ValleyRAT Campaign Leverages DLL Sideloading via Fake Microsoft Teams Portals

Cybersecurity researchers have identified an active and highly organized campaign distributing a new variant of the ValleyRAT malware. This operation utilizes advanced social engineering via fraudulent Microsoft Teams download landing pages, employing a multi-stage execution chain designed to bypass modern EDR (Endpoint Detection and Response) solutions.

First documented in mid-April, the threat actors are operating through deceptive domains, specifically teams-securecall[.]com and teamszs[.]com. These sites are pixel-perfect replicas of official Microsoft download portals, intended to lower the victim’s guard. Instead of the legitimate installer, users are prompted to download trojanized ZIP archives with deceptive naming conventions, such as:

  • 98653.2.87.teamsx.zip
  • 571.0.2.6.8.97teamsxb.zip
  • 521.0.3.6.987teamsx.zip

Upon extraction and execution, the victim triggers an NSIS-based installer. To maintain the illusion of a legitimate software installation, the installer actually downloads and installs a genuine version of Microsoft Teams, creating a desktop shortcut to mask the concurrent malicious background processes.

Analysis of fake Microsoft Teams site
Figure 1: Analysis of the fraudulent Microsoft Teams landing page (Source: K7 Security Labs).

According to a technical report by K7 Security Labs, the infection chain pivots on a DLL Sideloading technique. The malware drops a legitimate, digitally signed executable named GameBox.exe (originally developed by Tencent). By placing a malicious payload—specifically utility.dll—in the same directory as this trusted binary, the attackers trick the operating system into loading the malicious library under the process tree of a legitimate application.

Evasion and Persistence Mechanisms

The malware exhibits several sophisticated defensive evasion techniques to neutralize local security software. It utilizes PowerShell commands to programmatically modify Windows Defender configurations, adding its working directory to the exclusion list. To further hide its footprint, it moves its core components into the ProgramData directory and applies the SetFileAttributes API to mark its files as hidden.

Malware Killchain Analysis
Figure 2: The multi-stage infection killchain (Source: K7 Security Labs).

Persistence is established through the creation of a system service named _CCGDAT, which is configured to launch automatically upon system boot. The telemetry and registry artifacts observed during this process, alongside specific Chinese-language strings, suggest a high probability of attribution to the SilverFox APT group.

The malware’s execution logic is heavily focused on fileless techniques. It decrypts an AES-encrypted payload (user.dat) directly in memory using Windows cryptographic APIs. This decrypted shellcode is then injected into a new thread via CreateThread, ensuring that the most critical components of the malware never touch the physical disk in an unencrypted state.

Memory decryption via BcryptDecrypt
Figure 3: Execution flow involving the BcryptDecrypt API (Source: K7 Security Labs).

To frustrate static analysis and reverse engineering, the second and third stages of the malware utilize API Hashing. This prevents security analysts from easily identifying which Windows API functions are being called by looking at the Import Address Table (IAT). Finally, any payloads retrieved from the Command-and-Control (C2) server are obfuscated with a custom XOR routine, allowing attackers to swap malicious functionality dynamically without changing the core malware structure.

Post-Exploitation and Data Exfiltration

Once the ValleyRAT agent is fully resident in memory, it begins its primary mission: surveillance and data theft. Its capabilities include:

  • Clipboard Hijacking: Utilizing the GetClipboardData API to intercept sensitive information, including login credentials, passwords, and cryptocurrency wallet addresses.
  • Keystroke Logging: Recording user input to capture real-time activity.
  • C2 Communication: Maintaining a persistent TCP connection to the attacker’s infrastructure for command execution and data exfiltration.

Clipboard data interception
Figure 4: Demonstration of clipboard data interception (Source: K7 Security Labs).

This campaign serves as a critical reminder of the evolving threat landscape, where legitimate software is increasingly weaponized through sideloading and memory-only execution. Organizations should prioritize verifying software origins and monitoring for unusual PowerShell activity or unauthorized service creations.

Indicators of Compromise (IOCs)

File Name SHA-256 Hash Detection Name
98653.2.87.teamsx.zip 709604CE58E3F8255587AC9253DB6994 Trojan (006ddd9e1)
Utility.dll 18F3E85D7237E3CAC0AD13BDCF513F0F Trojan (006ddd9e1)
User.dat 8F9DE887E9AED9D580F386BA2D191319 Trojan (0001140e1)

Note: Domains and IP addresses have been defanged (e.g., [.]) to prevent accidental execution. Please re-fang these indicators only within a sandboxed environment or dedicated threat intelligence platform.

oFsdHT b wxjJ hSWh MoJE Om

Related Articles

Back to top button