A sophisticated malware campaign targeting Chinese-speaking users has revealed a significant evolution in the Silver Fox APT group’s capabilities. According to new research from Cybereason Security Services, the threat actors are deploying fake software installers to deliver ValleyRAT (also known as Winos 4.0) using a rare process injection technique that bypasses most security tools.
A Rare and Dangerous Injection Method
What sets this campaign apart is the implementation of “PoolParty Variant 7” — an obscure process injection technique rarely observed in the wild. Unlike standard malware that relies on well-known injection methods, this approach manipulates Windows I/O Completion Ports to force legitimate processes into executing malicious code.
“The sample we analyzed uses a process-injection technique called PoolParty Variant 7, which is not common,” the researchers noted. The malware duplicates a handle from Explorer.exe and leverages the ZwSetIoCompletion() API to trigger execution, effectively hiding within a trusted system process and evading detection.
Sophisticated Persistence Mechanisms
The attackers have implemented a robust “watchdog” system designed to restart the infection if interrupted. Rather than using simple batch file checks, the malware injects code directly into Explorer.exe and UserAccountBroker.exe — making the persistence mechanism nearly invisible and extremely difficult to remove.
Anti-Security Countermeasures
The malware actively scans for and attempts to disable Chinese security software, particularly products from Qihoo 360. When it detects processes like “360tray.exe” and “ZhuDongFangYu.exe,” it doesn’t just hide — it attacks by severing TCP connections to the security software’s cloud servers, effectively blinding the protective tools.
Attribution and Connections
The evidence points to the Silver Fox APT group, which has been linked to ValleyRAT since its first identification in 2023. Notably, researchers found code similarities with SADBRIDGE — the only other known malware family to employ the PoolParty Variant 7 technique — suggesting shared tools or an evolving arsenal within the group.
Attack Vector
The campaign distributes malware through fake installers for popular applications including:
- LINE messaging app
- ToDesk remote desktop
- AnyDesk remote access software
Defensive Recommendations
Organizations should carefully verify digital signatures on all software installers. A certificate that appears valid but fails verification is a telltale sign of tampering. Security teams should also monitor for unusual API calls related to I/O Completion Ports and suspicious interactions with Explorer.exe.
Source: Security Online
