A China-based ransomware group, Silver Fox, that has primarily targeted individuals in China, Taiwan, and Hong Kong, has been expanding its attacks outside of those regions and is now conducting attacks more broadly on multiple industry sectors. Silver Fox uses ransomware in its attacks and is focused on file encryption, demanding payment to obtain the keys to decrypt files. While the group does engage in double extortion tactics, stealing data and threatening to leak that data if the ransom is not paid, data theft is limited. Highly sensitive data is not generally stolen.
Many ransomware groups breach networks and spend time moving laterally to infect the maximum number of devices possible and also spend time locating sensitive data to exfiltrate. It is often the data theft and threat of publication that is the main driver behind ransom payments, so much so that some ransomware groups have abandoned the file encryption element of their attacks. In contrast, Silver Fox is focused on quick attacks, often breaching networks and encrypting files on the same day. The group even abandons attacks if lateral movement is not possible or if strengthened security is encountered.
Silver Fox primarily gains initial access to victims’ networks by deploying a remote access Trojan called ValleyRAT. ValleyRAT was first identified in 2023 and is believed to be a malware tool developed by Silver Fox, and its function is to give Silver Fox remote access to networks. The group has extensively targeted individuals in accounting, finance, and sales since those employees are likely to have access to sensitive data that can be quickly and easily stolen.
ValleyRAT is delivered by multiple means, indicating Silver Fox is trying to infect as many users as possible. One of the main methods used for distribution is fake installers for popular software. For instance, the group has been observed using fake installers for EmEditor (a Windows text editor), DICOM software (for viewing medical images), and system drivers and utilities. The group has also been observed using a spoofed website offering the Google Chrome browser, which prompts the user to download a ZIP file containing a Setup.exe file, which installs ValleyRAT.
The methods used to drive traffic to these fake downloads are unclear, although traffic to the fake Google Chrome download site is thought to be generated through malvertising and SEO poisoning, where malicious adverts are displayed for key search terms related to Chrome and web browsers that redirect users to the drive-by download site. SEO poisoning may be used, where black hat SEO techniques are used to get web pages to appear in the search engine listings for key search terms. If the user is tricked into executing the fake installer, they will be infected with ValleyRAT and a ransomware attack will rapidly follow.
Since the group is focused on rapid attacks involving minimal effort, the best defense is to strengthen baseline security and make lateral movement difficult through network segmentation. To prevent ValleyRAT downloads, web security needs to be improved to block attempts by users to visit the malicious websites. A web filter is an ideal tool for blocking access, including redirects through malvertising and SEO poisoning. A web filter such as WebTitan can also be configured to block downloads of certain files from the Internet and restrict access to websites by category – software download sites for example. Ongoing (and regular) security awareness training is also vital to teach employees about the risk of downloading software from the Internet, raise awareness of phishing, and teach security best practices, adding an important human layer to your security defenses.
TitanHQ’s web filter, WebTitan, is easy to implement and use, is automatically updated with the latest threat intelligence, and provides exceptional protection against web-based threats. When coupled with the SafeTitan security awareness training and phishing simulation platform, businesses will be well protected against ValleyRAT malware and other web-delivered malware payloads. Give the TitanHQ team a call to discuss these and other cybersecurity solutions to better protect you against the growing malware threat.